[Intrusions] odd worm (?) activity?
Timothy Chase
timothychase at gmail.com
Tue Sep 14 15:02:57 GMT 2004
Charlie,
You stated,
> ...
> There are more duplicated ports than just 135. And all of the ports
> are common worm backdoor ports. Also, since the scan is sourced from
> another system on the same subnet, it is likely that the "scanner" is
> unaware of the infection.
I hope you don't mind, but I was wondering why being on the same
subnet suggests that the "scanner" is unaware of the infection? For
example, it has been my experience that virtually all attempts by bots
to make use of the Bagle backdoor are from the same subnet (24),
although recently, I have seen a few attempting to come in from the
60's and 200's (I would have to check my logs to give you the exact
subnet or ip address), and only afterwards did I see any which (when
ftp'd over) had the same md5-hashes from my own subnet. Are
connection attempts by bots from other subnets indicative of seeding,
as the phenoma I have observed would seem to indicate, and if so, why?
Tim
More information about the Intrusions
mailing list