Security Incidents mailing list archives
Modap Worm Infection and Subsequent Scanning
From: Gordon Chamberlin <glac () visualizetech com>
Date: 25 Sep 2002 08:44:36 -0700
We were infected with the variant that uses udp 4156 Sunday night. There was quite a bit of scanning on various ports thereafter, logged by the firewall. There was one very odd scan that has me concerned. The firewall logged packets going from a different server, not the infected one, to 212.82.211.42: Sep 23 10:57:21 sicily kernel: DROPPING int->ext: IN=eth1 OUT=eth0 SRC=x.y.z.w DST=212.82.211.42 LEN=38 TOS=0x00 PREC=0x00 TTL=22 ID=27664 PROTO=UDP SPT=1370 DPT=33501 LEN=18 There are eight of these messages with DPT proceeding sequential from 33501 to 33508, inclusive, within 30 seconds. Questions: Was this other host infected with something? I have searched it but been unable to find any traces of hacking. Assuming w.x.y.z hasn't been cracked, how did someone convince my server to try to contact 212.82.211.42? Any other insight or advice? Thanks. -Gordon ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Modap Worm Infection and Subsequent Scanning Gordon Chamberlin (Sep 25)
- Re: Modap Worm Infection and Subsequent Scanning Glenn Forbes Fleming Larratt (Sep 26)
- Re: Modap Worm Infection and Subsequent Scanning Valdis . Kletnieks (Sep 27)
- Re: Modap Worm Infection and Subsequent Scanning Glenn Forbes Fleming Larratt (Sep 26)