Security Incidents mailing list archives
RE: TCP port 5000 syn increasing
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 19 May 2004 10:30:45 +1200
Frank Knobbe <frank () knobbe us> wrote:
That begs the question if it isn't becoming useless nowadays to count port scans. Perhaps we should focus instead on catching the worms and provide payload, or payload hashes. Otherwise, how would you pick up the new strain of SQL slammer amongst all the existing SQL port scans?
Well, some of us not only are doing this, but have been for several years (at least for a select group of likely ports). I know of several "home brew" projects in the anti-malware community that more or less do what you propose, and at least one of them is publicly available and looking for more dedicated nodes. If you're up for running a well-configured Windows box with open Internet access, have a look at WormRadar: http://www.wormradar.com/ This is an offshoot of an earlier, similar effort which, among other things, was the first to detect several variants of CodeRed. I'm not directly related to this project, but was one of the very early users of WormRadar's forbear, WormCatcher. WormRadar is a private project of Roger Thompson, one of the very early AV industry folk (he developed at least two detection engines for two different product lines), more recently Director of Malware Research at ICSA and now VP of Product Development at PestPatrol. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040517 ----------------------------------------------------------------------------
Current thread:
- Re: TCP port 5000 syn increasing, (continued)
- Re: TCP port 5000 syn increasing Leonardo (May 17)
- RE: TCP port 5000 syn increasing Terence Runge (May 17)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 18)
- RE: TCP port 5000 syn increasing Frank Knobbe (May 18)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 18)
- Re: TCP port 5000 syn increasing Andreas (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 19)
- RE: [Securityfocus-incidents] RE: TCP port 5000 syn increasing Remko Lodder (May 18)
- Re: TCP port 5000 syn increasing Bob (May 20)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 21)