nanog mailing list archives
Re: worm information
From: Jeff Workman <jworkman () pimpworks org>
Date: Sat, 10 Apr 2004 13:53:15 -0400
--On Saturday, April 10, 2004 8:35 AM -0700 "Christopher J. Wolff" <chris () bblabs com> wrote:
There's a number of viruses/worms in the wild that are programmed to exploit various M$ vulnerabilities:Hello, Over the last few days I've seen a number of hosts attempt to initiate TCP connections to the following ports in sequence. 80 139 445 6129 3127 1025 135 2745 ...repeat.
80 - IIS WebDAV (MS03-007)and any number of other IIS vulnerabilities 135 - DCOM RPC (MS03-026) 445 - RPC locator (MS03-001) and Workstation service (MS03-049) 139 - Unpassworded NetBIOS sharesI'm not sure about the other ports, I *think* 1025 has something to do with MS RPC as well, but don't quote me on that.
What you are probably seeing, at least in the cases involving the ports I listed above, is one of the many W32.Gaobot (Symantec)[1] variants.
-J[1] http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm
-- Jeff Workman | jworkman () pimpworks org | http://www.pimpworks.org
Current thread:
- worm information Christopher J. Wolff (Apr 10)
- Re: worm information Jeff Workman (Apr 10)
- Re: worm information Darrell Greenwood (Apr 10)
- Re: worm information ravi pina (Apr 10)
- RE: worm information Christopher J. Wolff (Apr 10)
- Re: worm information ravi pina (Apr 10)
- RE: worm information Christopher J. Wolff (Apr 10)
- Re: worm information Darrell Greenwood (Apr 10)
- Re: worm information Jeff Workman (Apr 10)