Security Incidents mailing list archives
Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
From: mgotts () 2roads com
Date: Wed, 21 Apr 2004 02:16:04 -0700
Sound familiar to anyone?
Have not seen the particular virus/worm, but have seen scans from single IPs of ports 6129, 2745, 135, 445, 1025, 3127 in sequence. 6129 is default port for dameware remote control agent: http://isc.sans.org/port_details.php?port=6129 3127 is used by MyDoom, Novarg and variants http://isc.sans.org/port_details.php?isc=4359007a189bdac49792ce2e8ac2f7f0&port=3127&repax=1&tarax=2&srcax=2&percent=N&days=40 I'd start with these. But it could, as always, be yet another variant. Lucky you. -- Mark Gottschalk Two Roads Professional Resources --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 mgotts (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Chris Harrington (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Arthur Clune (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Bojan Zdrnja (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Joe Stewart (Apr 22)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Kees Leune (Apr 21)