Bugtraq mailing list archives
Strange traffic - Outgoing TCP 3127/3198 (Not mydoom) New worm?
From: "Steve Browning" <browningsteve () hotmail com>
Date: Sat, 27 Mar 2004 01:25:10 +0000
Everyone, over the past 4 days I have been observing very random outgoing connection requests to a single external machine on the inet over ports 3127 and 3198.
The three machines in question are running Windows 2000 Server with all security fixes and current Symantec anti-virus definitions. The following characteristics are being observed:
1. Outgoing connections started on Tuesday morning. Approximately 3 probes an hour.
2. Each machine is trying to reach the same IP address on the inet. (IP belongs to a private company)
3. Probes slowed down on Tuesday afternoon, then stopped altogether. On Wednesday afternoon I observed a couple of more probes then nothing.
I have scanned these machines with AV software, no viruses detected, and because the ports in question are normally associated with Novarg/mydoom/doomjuice I ran the removal utilities from Microsoft and the AV vendor which detected nothing either.
I visited the machines and ran FPORT, PSlist and a couple of other tools and detected no unusual processes. I also scanned each of the machines with Nmap and Nessus and detected nothing out of the ordinary. (no open ports other then MS stuff etc) I have blocked all outgoing access to the IP in question. (the ports were already closed incoming/outgoing) I have also placed a sniffer in front of these machines configured to capture traffic going to the suspect IP address, so far nothing.
Does anyone have any idea whether there is an unknown virus/worm using TCP 3127/3198? I will be rebuilding these machines shortly but I just wanted to get some feedback or see whether anyone else was experiencing similiar problems.
Thanks in advance for any replies, Steve _________________________________________________________________MSN Premium includes powerful parental controls and get 2 months FREE* http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Current thread:
- Strange traffic - Outgoing TCP 3127/3198 (Not mydoom) New worm? Steve Browning (Mar 27)