Security Incidents mailing list archives
RE: TCP port 5000 syn increasing
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 19 May 2004 10:26:40 -0500
--On Wednesday, May 19, 2004 10:58:34 AM +1200 Nick FitzGerald <nick () virus-l demon co uk> wrote:
I mean both at the same time and from the same IP. Unfortunately, Roger hasn't made it easy to extract serial data from wormradar yet, or I would post the evidence here. What I've been seeing for some time now is a massive amount of probes on ports 3127 and 6129 (repeatedly from the same IP addresses) interspersed with an occasional probe on 5000 from the *same* IP. This leads me to believe that at least *some* of the 5000 probing is deliberate rather than automated.Paul Schmehl <pauls () utdallas edu> wrote:I'd be inclined to agree with you, Jose. I suspect this is something new that's been "distributed" through a bot network of already compromised machines (Agobot/Gaobot). I'm seeing *some* correlation between hosts "poking" me on 3217 and 6129 (Agobot for sure) and 5000, but not on the other ports.By "*some* correlation" do you mean "temporally close" or just "these IPs hit those three ports in the last 24 hours"?
Furthermore, I saw the first probe on 5000 on 4/24, long before either of the recent worms being blamed for this traffic came out. Joe Stewart makes a good case for at least *some* of that traffic coming from the one worm (I'm sorry, but the names all seem to run together these days), but I'm not convinced that all of it is.
BTW, I second your comments about wormradar. Everyone should have at least one running on their network, if for no other reason than to amaze them with the amount of crap floating around on the Internet.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040517 ----------------------------------------------------------------------------
Current thread:
- RE: TCP port 5000 syn increasing, (continued)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 18)
- RE: TCP port 5000 syn increasing Frank Knobbe (May 18)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 18)
- Re: TCP port 5000 syn increasing Andreas (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 19)
- RE: [Securityfocus-incidents] RE: TCP port 5000 syn increasing Remko Lodder (May 18)
- Re: TCP port 5000 syn increasing Bob (May 20)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 21)