Security Incidents mailing list archives
RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
From: "Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>
Date: Wed, 21 Apr 2004 23:08:44 +1200
Hi Jeff,
-----Original Message----- From: Jeff Kell [mailto:jeff-kell () utc edu] Sent: Wednesday, 21 April 2004 2:02 p.m. To: General DShield Discussion List; Incidents Subject: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 We have had a significant outbreak of a yet-unidentified virus on campus covering several dozen machines and one remote lab (possibly 100 in all). The characteristics I have observed remotely (no possibility of forensics at the moment, just shutting down ports) are as follows: * listens on two random, high-numbered tcp ports * picks a random address within the infected machine's /8 subnet * scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral source ports (the source port is not fixed).
This is almost certanly some variant of Gaobot, maybe even Phatbot. Phatbot uses multiple vulnerabilities to propagate (too many to mention) and it can also spread to machines previously infected by MyDoom or Bagle. It can brute force MSSQL, kills almost all AV programs it finds on the target machine and can use WASTE P2P protocol for remote management of infected machines. Phatbot will scan TCP ports 80, 135, 139, 445, 3127 (MyDoom) and 6129 (Dameware). It also opens several listeners. If you can, I'd suggest port scanning infected machines with nmap to see if port 4387 is open - Phatbot uses that port for communication via the WASTE protocol. If possible, scan machines with AV program, some of them catch new variants generically, although Agobot/Gaobot variants seem to appear every couple of hours. Cheers, Bojan CISSP --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 mgotts (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Chris Harrington (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Arthur Clune (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Bojan Zdrnja (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Joe Stewart (Apr 22)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Kees Leune (Apr 21)