Re: Re: [Dshield] new msblaster on the loose?

[Victor Vieira <victorvieira82 () yahoo com>]

Jeremiah, I can tell you with no further delays that at least 60-70% of the portscans I have been catching with a 
simple homebased personal firewall have been for the two ports you mentioned - especially the 135, much more constant 
than any other - a predictable happening, with the blast worldwide spread. 
I didn't, however, take the time to analyze the origin of those portscans - I have caught packages from Brazil and the 
US. Do you have any other statistics on the subject?
 
Victor Vieira
DSM Losango, Brazil - Lloyds TSB Group
victor.vieira () losango com br 
victorvieira82 () yahoo com
 


Jeremiah Cornelius <jeremiah () nur net> wrote:Interesting phenomenon emerging:

We have noticed in our log aggregators that some of the same hosts yesterday
that were doing port 135 scans... today seem to be doing some port 1026
scans. This is a listener port for MS Messenger. List follwers will
remember that this has been used as an avenue for spammers to send "pop-up"
alerts on users desktops.

farm9 (the InfoSec group I work for) is keeping an eye on this - we
correlate syslog, winlog, IDS and firewall data from a dozen or so
enterprises.

Has anybody spotted similar activity? It would be interesting to see if
this is a new worm iteration. Maybe sombody clever has figured they can
deliver MSSBlast.exe or phallus32.exe via Messenger.

I have already noticed curious folks that find that they can bind to a shell
on 4444, and are now fiddling around here - for a minute or so... ;-)

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut
farm9 Security
email: jc () farm9 com - mobile: 415.235.7689

"What would be the use of immortality to a person who cannot use well a half
hour?"
--Ralph Waldo Emerson



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software