Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: TCP port 5000 syn increasing

From: Jose Nazario <jose () monkey org>
Date: Mon, 17 May 2004 22:43:52 -0400 (EDT)
using the Internet Motion Sensor project hosted by umich, we've been
monitoring global network spaces and looking at the same rise in TCP port
5000 traffic. however, the data doesn't support the theory of kibuv.b
entirely.

according to the kibuv.b description at symantec [1], we should be seeing
a similar rise in traffic on ports 80, 135, 445, 5554 (sasser backdoor),
6667 (bagle.a), 2745 (bagle.g), all rising in concert with TCP port 5000.
we're not seeing the sam rise and not seeing traffic from the same sources
on these ports, in addition to kibuv.b ports like 7955 and 420.

in short, while it may be kibuv.b, the evidence doesn't entirely support
that theory. we should be seeing traffic rise against multiple ports used
by the worm ... and we're not.

we are, however, seeing exploit traffic on 5000/TCP rise over the past day
or two.

[the IMS project is due to be announced publically at the upcoming nanog
presentation in san francisco.]

notes:
1. http://securityresponse.symantec.com/avcenter/venc/data/w32.kibuv.b.html

________
jose nazario, ph.d.                     jose () monkey org
http://monkey.org/~jose/                http://infosecdaily.net/

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: