Full Disclosure mailing list archives
Re: Re: [Dshield] new msblaster on the loose?
From: "Jeremiah Cornelius" <jeremiah () nur net>
Date: Wed, 13 Aug 2003 16:46:52 -0700
Interesting phenomenon emerging: We have noticed in our log aggregators that some of the same hosts yesterday that were doing port 135 scans... today seem to be doing some port 1026 scans. This is a listener port for MS Messenger. List follwers will remember that this has been used as an avenue for spammers to send "pop-up" alerts on users desktops. farm9 (the InfoSec group I work for) is keeping an eye on this - we correlate syslog, winlog, IDS and firewall data from a dozen or so enterprises. Has anybody spotted similar activity? It would be interesting to see if this is a new worm iteration. Maybe sombody clever has figured they can deliver MSSBlast.exe or phallus32.exe via Messenger. I have already noticed curious folks that find that they can bind to a shell on 4444, and are now fiddling around here - for a minute or so... ;-) -- Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut farm9 Security email: jc () farm9 com - mobile: 415.235.7689 "What would be the use of immortality to a person who cannot use well a half hour?" --Ralph Waldo Emerson _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- new msblaster on the loose? David Vincent (Aug 13)
- Re: new msblaster on the loose? Person (Aug 13)
- Re: [Dshield] new msblaster on the loose? John Sage (Aug 13)
- Re: Re: [Dshield] new msblaster on the loose? Joey (Aug 13)
- Re: Re: [Dshield] new msblaster on the loose? Jeremiah Cornelius (Aug 13)
- Re: Re: [Dshield] new msblaster on the loose? Victor Vieira (Aug 18)
- Re: Re: [Dshield] new msblaster on the loose? Joey (Aug 13)
- <Possible follow-ups>
- RE: new msblaster on the loose? Kane Lightowler (Aug 14)
- Re: new msblaster on the loose? Jay Woody (Aug 14)
- RE: new msblaster on the loose? Arnold, Jamie (Aug 14)
- RE: Re: new msblaster on the loose? Robert Ahnemann (Aug 14)