Security Incidents mailing list archives
Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
From: C.J.Leune () uvt nl (Kees Leune)
Date: Wed, 21 Apr 2004 23:13:11 +0200
On Tue, Apr 20, 2004 at 10:02:08PM -0400, Jeff Kell wrote:
We have had a significant outbreak of a yet-unidentified virus on campus covering several dozen machines and one remote lab (possibly 100 in all). The characteristics I have observed remotely (no possibility of forensics at the moment, just shutting down ports) are as follows: * listens on two random, high-numbered tcp ports * picks a random address within the infected machine's /8 subnet * scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral source ports (the source port is not fixed). Sound familiar to anyone?
Yep; hit us last tuesday. Same pattern; sudden increase in traffic, generating close to 100 MB/sec coming in from the Internet. We had to significantly close down router ACLs to keep the thing out. So far, we escaped. Now it's waiting for the first infected laptop to be brought in again. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 mgotts (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Chris Harrington (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Arthur Clune (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Bojan Zdrnja (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Joe Stewart (Apr 22)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Kees Leune (Apr 21)