Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

[Charles Hamby <fixer () gci net>]

Jeff,

Aside from the scanning order this sounds remarkably like a bug that 
we're battling right now.  It's taken out about 150 or so of of our 
hosts.  As of right now we don't know what the bug is, but we deployed a 
honeypot yesterday to try to capture the malware and see if we can ID 
the beast.

Charles Hamby

Jeff Kell wrote:

> We have had a significant outbreak of a yet-unidentified virus on 
> campus  covering several dozen machines and one remote lab (possibly 
> 100 in all).  The characteristics I have observed remotely (no 
> possibility of forensics at the moment, just shutting down ports) are 
> as follows:
>
> * listens on two random, high-numbered tcp ports
> * picks a random address within the infected machine's /8 subnet
> * scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral
>   source ports (the source port is not fixed).
>
> It could have gained entry via tcp/1025 as all the others are blocked 
> on ingress, or it could have been brought inside via laptop.  
> Strangely enough it has not been detected in our dorms (where most of 
> our slime tends to grow).  An off-campus lab connected via half a T1 
> was almost entirely consumed, I have shutdown their serial interface 
> (can't diagnose this one as the packet loss was incredibly high).
>
> I suspect this originated as one of the MS04-xxxx exploits patched 
> last week, we've already done this exercise with other RPC-ish 
> vulnerabilities and taken time to update lab machines.
>
> Sound familiar to anyone?
>
> Jeff Kell
> University of Tennessee at Chattanooga
>
>
> --------------------------------------------------------------------------- 
>
> ---------------------------------------------------------------------------- 


---------------------------------------------------------------------------
----------------------------------------------------------------------------