Snort mailing list archives
Re: New Blaster variant?
From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 28 Oct 2003 22:09:05 -0500
Security Admin wrote:
Port 27347 is a sub 7 trojan port. The following worm is also known to use this port after infection through Kazza etc.....W32/Spybot.worm.gen.
No, 27374 is sub seven, but there has been a recent spike in 27347.
All I've heard is a variant where infected machines are found to be listening on port 707. This information is not confirmed yet and noAV vendors are reporting anything.
707 is a Nachi variant and has been documented for some time, I shutdown a dozen or so ports today. See McAfee's page: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100559
Sniffer Customers: A new filter has been developed that will look for any traffic exploiting the RPC Exploit, plus traffic on port 4444 (Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).
These systems typically have 4444 open as well, like the original Nachi. Jeff ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New Blaster variant? Bryan Oser (Oct 28)
- Re: New Blaster variant? Jim Brown (Oct 28)
- <Possible follow-ups>
- RE: New Blaster variant? Security Admin (Oct 28)
- Re: New Blaster variant? Jeff Kell (Oct 28)