Security Incidents mailing list archives
RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
From: "Chris Harrington" <cmh () nmi net>
Date: Wed, 21 Apr 2004 10:41:22 -0400
Jeff, Those are most likely Phatbot / Agobot / Gaobot infections. http://www.lurhq.com/phatbot.html I am seeing a lot of hosts trying to connect to our networks on those ports. In addition I also see ports 4387 and 5000 in the scans. Snort rules pick these up as Agobot variants. Phatbot tries to replicate thru: Mydoom, port 3127 Dameware, port 6129 Universal PnP, port 5000 WebDAV, port 80 MS SQL, port 1434 Bagle, port 4387 Symantec does have info on removal under W32.HLLW.Gaobot.gen: http://www.sarc.com/avcenter/venc/data/pf/w32.hllw.gaobot.gen.html Good luck with it. -- Christopher Harrington, CISSP Security Engineer NMI InfoSecurity Solutions 207-780-6381, x236 http://www.nmi.net -----Original Message----- From: Jeff Kell [mailto:jeff-kell () utc edu] Sent: Tuesday, April 20, 2004 10:02 PM To: General DShield Discussion List; Incidents Subject: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 We have had a significant outbreak of a yet-unidentified virus on campus covering several dozen machines and one remote lab (possibly 100 in all). The characteristics I have observed remotely (no possibility of forensics at the moment, just shutting down ports) are as follows: * listens on two random, high-numbered tcp ports * picks a random address within the infected machine's /8 subnet * scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral source ports (the source port is not fixed). It could have gained entry via tcp/1025 as all the others are blocked on ingress, or it could have been brought inside via laptop. Strangely enough it has not been detected in our dorms (where most of our slime tends to grow). An off-campus lab connected via half a T1 was almost entirely consumed, I have shutdown their serial interface (can't diagnose this one as the packet loss was incredibly high). I suspect this originated as one of the MS04-xxxx exploits patched last week, we've already done this exercise with other RPC-ish vulnerabilities and taken time to update lab machines. Sound familiar to anyone? Jeff Kell University of Tennessee at Chattanooga --------------------------------------------------------------------------- --------------------------------------------------------------------------- - --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 mgotts (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Chris Harrington (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Arthur Clune (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Bojan Zdrnja (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Joe Stewart (Apr 22)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Kees Leune (Apr 21)