Snort mailing list archives

Re: New Blaster variant?

From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 28 Oct 2003 22:09:05 -0500

Security Admin wrote:

Port 27347 is a sub 7 trojan port. The following worm is also known
to use this port after infection through Kazza
etc.....W32/Spybot.worm.gen.


No, 27374 is sub seven, but there has been a recent spike in 27347.

All I've heard is a variant where infected machines are found to belistening on port 707. This information is not confirmed yet and no
AV vendors are reporting anything.


707 is a Nachi variant and has been documented for some time, I shutdown
a dozen or so ports today.  See McAfee's page:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100559

Sniffer Customers:  A new filter has been developed that will look
for any traffic exploiting the RPC Exploit, plus traffic on port 4444
(Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and
Sniffer Portable 4.7.5).


These systems typically have 4444 open as well, like the original Nachi.

Jeff



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

New Blaster variant? Bryan Oser (Oct 28)
- Re: New Blaster variant? Jim Brown (Oct 28)
- <Possible follow-ups>
- RE: New Blaster variant? Security Admin (Oct 28)
  - Re: New Blaster variant? Jeff Kell (Oct 28)