Educause Security Discussion mailing list archives
Re: symantec targetting worm
From: David Gillett <gillettdavid () FHDA EDU>
Date: Thu, 28 Dec 2006 17:02:13 -0800
It hasn't been getting enough traction here to cause problems. Most of the source addresses claim to be dial-ups in Slovenia. Haven't seen 139 or 445, but other addresses have been scanning 5900. David Gillett
-----Original Message----- From: robin [mailto:mstubbs () FACSTAFF WISC EDU] Sent: Thursday, December 28, 2006 3:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] symantec targetting worm Some subnets here are having a bit of trouble with a worm that in particular seems to be going for tcp port 2967 which we would guess is aiming for the SAVCE managed client port. In some cases the worm or worms also goes for tcp port 139,445 and/or 5900. Anyone seeing this and have some advice? Have worms been id'd other than these at other edu's? http://www.symantec.com/enterprise/security_response/weblog/20 06/11/spybot_attempts_to_exploit_old.html http://www.symantec.com/security_response/writeup.jsp?docid=20 06-121309-3331-99 http://smallbiz.symantec.com/security_response/writeup.jsp?doc id=2006-122314-5625-99&tabid=2 There was quite a spike in scanning in recent times: http://isc.sans.org/port_details.php?port=2967 Speaking of possible sym06-010 exploites, here is a nice chart about upgrading it: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/20 06052609181248?OpenDocument&src=ent_hot&dtype=corp&seg=ent&pro d=Symantec%20AntiVirus%20Corporate%20Edition&ver=10.1&tpre=
Current thread:
- symantec targetting worm robin (Dec 28)
- <Possible follow-ups>
- Re: symantec targetting worm David Gillett (Dec 28)
- Re: symantec targetting worm Mike Iglesias (Dec 29)