Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Spam:Re: New Blaster variant?

From: "Bryan Oser" <bryano () stratarc com>
Date: Wed, 29 Oct 2003 09:27:37 -0600
Thanks all!

Bryan

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jeff Kell
Sent: Tuesday, October 28, 2003 9:09 PM
To: Security Admin
Cc: snort-users () lists sourceforge net
Subject: Spam:Re: [Snort-users] New Blaster variant?

Security Admin wrote:


Port 27347 is a sub 7 trojan port. The following worm is also known
to use this port after infection through Kazza
etc.....W32/Spybot.worm.gen.


No, 27374 is sub seven, but there has been a recent spike in 27347.


All I've heard is a variant where infected machines are found to be 
listening on port 707. This information is not confirmed yet and no
AV vendors are reporting anything.


707 is a Nachi variant and has been documented for some time, I shutdown
a dozen or so ports today.  See McAfee's page:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100559


Sniffer Customers:  A new filter has been developed that will look
for any traffic exploiting the RPC Exploit, plus traffic on port 4444
(Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and
Sniffer Portable 4.7.5).


These systems typically have 4444 open as well, like the original Nachi.

Jeff



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: