Snort mailing list archives
Possible scr worm
From: john.ruff () us abb com
Date: Mon, 20 Aug 2001 11:23:59 -0400
Any idea what might be causing this aler tot be generated? I realize it's POP3 traffic (probably someone's internet mail acct.), but is there something new out there generating these alerts? I've actually got about 3600 of these alerts which just started Saturday(8/18/01). Need more info let me know. [**] [1:729:1] Virus - Possible scr Worm [**] 08/20-10:04:45.515817 216.136.173.10:110 -> 130.110.93.68:4062 TCP TTL:49 TOS:0x0 ID:2259 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x878CAF66 Ack: 0x2AE6A993 Win: 0x4470 TcpLen: 20 ***One thing additional...the source is the same IP address, the destination is an user pc on my network but the TCP ports on the destination are increasing incrementally with each attack (now up to 3700). View sample from alert_fast log: 08/20-03:55:25.262609 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3501 08/20-03:56:28.128075 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3502 08/20-03:57:31.278385 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3503 08/20-03:58:30.177705 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3504 08/20-03:59:29.282157 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3505 08/20-04:00:30.082391 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3506 08/20-04:01:36.289142 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3507 08/20-04:02:36.552131 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3510 08/20-04:03:34.645432 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3511 08/20-04:04:34.201745 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3512 08/20-04:05:38.042166 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3513 08/20-04:06:40.937557 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3514 08/20-04:07:41.323420 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3515 08/20-04:08:38.181577 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3516 08/20-04:09:42.501863 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3518 08/20-04:10:45.457088 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3519 08/20-04:11:46.159375 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3520 08/20-04:12:43.002994 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3522 08/20-04:13:43.367405 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3523 08/20-04:14:53.188124 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3524 08/20-04:15:48.119412 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3525 08/20-04:16:49.589955 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3527 08/20-04:17:47.769268 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3528 08/20-04:18:51.876047 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3529 08/20-04:19:58.743633 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3530 08/20-04:20:53.806513 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3531 08/20-04:21:51.748421 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3538 08/20-04:22:52.452612 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3539 08/20-04:23:59.860961 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3543 08/20-04:24:59.094425 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3544 08/20-04:25:57.487208 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3545 08/20-04:26:56.926689 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3546 08/20-04:28:00.978404 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3547 08/20-04:29:02.209173 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3548 08/20-04:30:02.733367 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3549 08/20-04:31:00.767679 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3551 08/20-04:32:05.149634 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3552 08/20-04:33:07.774311 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3553 08/20-04:34:06.534375 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3554 08/20-04:35:06.447402 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3555 08/20-04:36:06.854139 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3556 Regards, John Ruff "Shortcuts make for long delays." - J.R.R. Tolken _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Possible scr worm john . ruff (Aug 20)
- Re: Possible scr worm Erek Adams (Aug 20)
- Re: Possible scr worm rottz (Aug 20)
- <Possible follow-ups>
- Possible scr worm john . ruff (Aug 20)
- Re: Possible scr worm Matthew Collins (Aug 21)
- Re: Possible scr worm john . ruff (Aug 21)
- Re: Possible scr worm Matthew Collins (Aug 21)
- Re: Possible scr worm John Sage (Aug 21)