Re: Any ideas?

["Piscitello, Frank" <frank () WCUPA EDU>]

Didn't even notice that myself.  Here's a sample from Ethereal:
Here's a sample from Ethereal:  The source seems to change (spoofed) but
the destination is constant.

Internet Protocol, Src Addr: 144.26.154.181 (144.26.154.181), Dst Addr:
68.202.199.235 (68.202.199.235)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 60
    Identification: 0x0100 (256)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x0337 (correct)
    Source: 144.26.154.181 (144.26.154.181)
    Destination: 68.202.199.235 (68.202.199.235) Transmission Control
Protocol, Src Port: 518 (518), Dst Port: 6667 (6667), Seq: 305419896,
Ack: 16777216, Len: 20
    Source port: 518 (518)
    Destination port: 6667 (6667)
    Sequence number: 305419896
    Next sequence number: 305419916
    Header length: 20 bytes
    Flags: 0x0002 (SYN)
        .... ..1. = Syn: Set
    Window size: 512
    Checksum: 0xf09f (incorrect, should be 0xf08b) Internet Relay Chat
    Request Line:  
 


------------------------------------------------------------------
Frank J. Piscitello, Jr. 
Information Security Manager    
Office of Information Security
West Chester University of PA
http://www.wcupa.edu/infoservices/security/

Security is everyone's responsibility.

-----Original Message-----
From: Matthew Keller [mailto:kellermg () POTSDAM EDU] 
Sent: Monday, January 19, 2004 4:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Any ideas?

Bagle listens on port 6777 not 6667. This is likely to be an IRCbot
virus, probably Agobot (http://www.f-secure.com/v-descs/agobot.shtml) or
something like it.


On Mon, 2004-01-19 at 16:38, Christopher Condie wrote:
> I think you may be experiencing the W32.Beagle worm.  If you go to 
> http://www.symantec.com you can get information on how to get rid of 
> the worm.  It should destroy itself also as of the 28th of January 
> according to Symantec.
>
> Just a thought,
>
> Christopher R. Condie
> Oakland University
> Security and Helpdesk Manager
> condie () oakland edu
> ----- Original Message -----
> From: "Piscitello, Frank" <frank () WCUPA EDU>
> To: <SECURITY () LISTSERV EDUCAUSE EDU>
> Sent: Monday, January 19, 2004 4:27 PM
> Subject: [SECURITY] Any ideas?
>
>
> I have what I'm assuming is a worm/scanner that is attempting to 
> connect to 68.202.199.235 on port 6667. The mystery is that the source

> IP seems to be every address on my one student subnet. The IP packet 
> is 60bytes and the Frame is 74 bytes. There is no actual data.
>
> Any ideas?
> -Frank
>
>
> ------------------------------------------------------------------
> Frank J. Piscitello, Jr.
> Information Security Manager
> Office of Information Security
> West Chester University of PA
> West Chester, PA 19383
> Phone: 610-436-3192
> Fax: 610-436-3110
> http://www.wcupa.edu/infoservices/security/
>
> Security is everyone's responsibility.
>
> **********
> Participation and subscription information for this EDUCAUSE 
> Discussion Group discussion list can be found at
http://www.educause.edu/cg/.
> **********
> Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.
--
Matthew Keller
Enterprise Systems Analyst
Computing & Technology Services
State University of New York @ Potsdam
Potsdam, NY USA
http://mattwork.potsdam.edu/

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.