Re: What's on udp/2002 ?

[Russell Harding <hardingr () cunap com>]

Guido,

  Perhaps you've been living in a cave the last week....

The new 'Modap' OpenSSL worm communicates on UDP ports 2002.
Additionally, the worm uses TCP 1080 for it's internal proxy
communication, which can be turned on or off.  Perhaps you've
got an infected system?

List of target systems follows: (from worm source code)

 architectures[] = {

 {"Gentoo", "", 0x08086c34},
 {"Debian", "1.3.26", 0x080863cc},
 {"Red-Hat", "1.3.6", 0x080707ec},
 {"Red-Hat", "1.3.9", 0x0808ccc4},
 {"Red-Hat", "1.3.12", 0x0808f614},
 {"Red-Hat", "1.3.12", 0x0809251c},
 {"Red-Hat", "1.3.19", 0x0809af8c},
 {"Red-Hat", "1.3.20", 0x080994d4},
 {"Red-Hat", "1.3.26", 0x08161c14},
 {"Red-Hat", "1.3.23", 0x0808528c},
 {"Red-Hat", "1.3.22", 0x0808400c},
 {"SuSE", "1.3.12", 0x0809f54c},
 {"SuSE", "1.3.17", 0x08099984},
 {"SuSE", "1.3.19", 0x08099ec8},
 {"SuSE", "1.3.20", 0x08099da8},
 {"SuSE", "1.3.23", 0x08086168},
 {"SuSE", "1.3.23", 0x080861c8},
 {"Mandrake", "1.3.14", 0x0809d6c4},
 {"Mandrake", "1.3.19", 0x0809ea98},
 {"Mandrake", "1.3.20", 0x0809e97c},
 {"Mandrake", "1.3.23", 0x08086580},
 {"Slackware", "1.3.26", 0x083d37fc},
 {"Slackware", "1.3.26", 0x080b2100}
;

    -Russell

On Wed, 18 Sep 2002, Guido Van De Velde wrote:

> At least something very interesting, according to our fw logs.
> Anyone any idea ?
>
> TIA
> --
> guido
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com