Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

[C.J.Leune () uvt nl (Kees Leune)]

On Tue, Apr 20, 2004 at 10:02:08PM -0400, Jeff Kell wrote:
> We have had a significant outbreak of a yet-unidentified virus on campus 
>  covering several dozen machines and one remote lab (possibly 100 in 
> all).  The characteristics I have observed remotely (no possibility of 
> forensics at the moment, just shutting down ports) are as follows:
>
> * listens on two random, high-numbered tcp ports
> * picks a random address within the infected machine's /8 subnet
> * scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral
>   source ports (the source port is not fixed).
>
>
> Sound familiar to anyone?

Yep; hit us last tuesday. Same pattern; sudden increase in traffic,
generating close to 100 MB/sec coming in from the Internet. We had to
significantly close down router ACLs to keep the thing out. So far, we
escaped. Now it's waiting for the first infected laptop to be brought in
again.

---------------------------------------------------------------------------
----------------------------------------------------------------------------