Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Am I the only one?

From: Kathy Bergsma <kathya () NERSP NERDC UFL EDU>
Date: Wed, 14 Apr 2004 16:44:53 -0400
The latest variant on our network spreads via shares protected with weak
passwords.

http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.zx.html

=============
Kathy Bergsma
UF Information Security Manager
352-392-2061

On Wed, 14 Apr 2004, Dan Jones wrote:


Agobot/Gaobot/Phatbot variants.  We have also seen tcp/5000 in the mix.

Jim Pollard wrote:


Or did I miss it on Bugtraq?  Recently I've noticed a scan pattern in my logs and wonder if anyone might recognize 
it as either a known virus or some kiddie scanning tool looking for virus backdoors?  There are some variations... 
occasionally port 80 and 8080 are included.

Service: 1025 (tcp/1025) (net2fw:DROP:,eth1,none) - 2 packets (take your pick... either network blackjack or an 
assortment of viruses and backdoors)
         Service: 2745 (tcp/2745) (:net2fw:DROP:,eth1,none) - 2 packets (Beagle virus)
         Service: 3127 (tcp/3127) (:net2fw:DROP:,eth1,none) - 2 packets (MyDoom virus)
         Service: 6129 (tcp/6129) (net2fw:DROP:,eth1,none) - 3 packets (W32.Mockbot) also Dameware


Thanks!

Jim

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.



**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: