Educause Security Discussion mailing list archives

Re: Any ideas?

From: "Piscitello, Frank" <frank () WCUPA EDU>
Date: Mon, 19 Jan 2004 16:39:48 -0500

 
I don't think it's bagle, because this started up on Friday morning.
Also, my computers are looking for the the 68.202 address via port 6667,
they are not listening on the port.

------------------------------------------------------------------
Frank J. Piscitello, Jr. 
Information Security Manager    
Office of Information Security
West Chester University of PA
http://www.wcupa.edu/infoservices/security/

Security is everyone's responsibility.

-----Original Message-----
From: Cam Beasley, ISO [mailto:cam () AUSTIN UTEXAS EDU] 
Sent: Monday, January 19, 2004 4:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Any ideas?

This is linked to the new Beagle/Bagle
worm.. Also possibly TCP 39999.

~cam.

Cam Beasley
ITS/Information Security Office
The University of Texas at Austin
cam () mail utexas edu
---------------------------
Report Abuse To:
- abuse () utexas edu
- 512.475.9242
---------------------------

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Piscitello, Frank
Sent: Monday, January 19, 2004 3:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Any ideas?

I have what I'm assuming is a worm/scanner that is attempting to 
connect to 68.202.199.235 on port 6667. The mystery is that the source

IP seems to be every address on my one student subnet. The IP packet 
is 60bytes and the Frame is 74 bytes. There is no actual data.

Any ideas? 
-Frank


------------------------------------------------------------------
Frank J. Piscitello, Jr. 
Information Security Manager  
Office of Information Security
West Chester University of PA
West Chester, PA 19383
Phone: 610-436-3192
Fax: 610-436-3110
http://www.wcupa.edu/infoservices/security/

Security is everyone's responsibility.

**********
Participation and subscription information for this EDUCAUSE 
Discussion Group discussion list can be found at

http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Any ideas? Piscitello, Frank (Jan 19)
- <Possible follow-ups>
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Christopher Condie (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Matthew Keller (Jan 19)
- Re: Any ideas? Clyde Hoadley (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)