RE: Increase seen in port probes since Tuesday afternoon

["Michael" <mcwright () dbls com>]

We're seeing it too and believe it is part of the Gaobot/Agobot family.
We're getting concentrated scans from multiple hosts in the same Class "B"
subnet we're in.   

On web servers we're seeing log entries such as the following, which isn't
new to the Gaobot/Agobot family:

ex041226.log:2004-12-26 05:07:10 12.33.103.174 - [snip] 80 POST
/_vti_bin/_vti_aut/fp30reg.dll - 500 -

That's a frontpage dll from a vulnerability dating back to 11/03.  

With an IDS we get alerts for both 'WebDAV Search Access' and
'Chunked-Encoding transfer attempts.'  

Some good links for further information are:

http://lists.sans.org/pipermail/list/2004-December/087846.html
http://www.lurhq.com/phatbot.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.
html 

> -----Original Message-----
> From: James C Slora Jr [mailto:Jim.Slora () phra com] 
> Sent: Thursday, December 30, 2004 2:45 PM
> To: 'BahdKo'; incidents () securityfocus com
> Subject: RE: Increase seen in port probes since Tuesday afternoon
>
> BahdKo wrote Thursday, December 30, 2004 04:23
>
> > Since Tuesday afternoon EST I've seen a dramatic increase in 
> > the number of machines probing my network on ports 2745, 
> > 1025, 3127, 6129, and usually 80. Each probe involves the 
> > machine sending three packets to each port.
>
> Yes from time to time. The port pattern is typical of many 
> botnets, many of
> which will focus multiple drones against a particular IP 
> space for a while. 
>
> Packet captures might reveal whether there is anything new or 
> interesting
> about any of the individual probes. The three packets would 
> probably be
> standard Syn retries. Again a packet capture would show 
> whether or not this
> is the case. If a destination device is listening on any of 
> those ports, a
> packet capture might also give an indication about whether 
> there is some new
> payload.