Security Incidents mailing list archives
Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
From: Jeff Kell <jeff-kell () utc edu>
Date: Wed, 21 Apr 2004 10:23:49 -0400
Charles Hamby wrote:
Jeff,Aside from the scanning order this sounds remarkably like a bug that we're battling right now. It's taken out about 150 or so of of our hosts. As of right now we don't know what the bug is, but we deployed a honeypot yesterday to try to capture the malware and see if we can ID the beast.
It appears to be a Gaobot derivative. Changes the home page to be<semi-random-chars>.t.muxa.cc. Google for muxa.cc and you'll get some pointers.
Jeff --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 mgotts (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Chris Harrington (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Arthur Clune (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Bojan Zdrnja (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Joe Stewart (Apr 22)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Kees Leune (Apr 21)