[Dshield] New Outlook virus?

John Sage jsage at finchhaven.com
Wed Oct 2 17:24:58 GMT 2002


On Wed, Oct 02, 2002 at 07:22:04AM -0500, Bob Savage wrote:
> We do use Windows here, and have had absolutely no activity of the type
> described over the last few days in the discussion of these new
> viruses/attacks.  I've checked every morning for port 137 or port 1025 -
> 1029 traffic: source or destination, in or out, udp/tcp/anything else.
> None.  Not one packet using or attempting to use those ports.

I have seen relatively little traffic from your neighborhood:

Received: from unknown (HELO m255.corp.rnr-inc.com) (209.224.54.49)

>From my latest UDP:137 source IP listing:

<snip>
 #433-671| [2002-09-29 11:18:09] 208.225.13.226:137 -> 12.82.137.251:137
  #435-20| [2002-09-30 09:55:05] 208.40.31.52:1026 -> 12.82.129.94:137

 #433-713| [2002-09-29 13:08:00] 209.110.39.109:1025 -> 12.82.137.251:137
 #433-724| [2002-09-29 13:11:00] 209.19.160.183:1027 -> 12.82.137.251:137
 #286-170| [2002-10-01 12:23:00] 209.206.249.157:1415 -> 12.82.129.56:137
 #286-175| [2002-10-01 13:12:31] 209.246.70.128:1027 -> 12.82.129.56:137
   #435-8| [2002-09-30 09:12:05] 209.91.186.49:1025 -> 12.82.129.94:137

#71-11967| [2002-09-29 18:40:42] 210.101.102.80:1026 -> 12.82.137.163:137
 #432-117| [2002-09-29 04:08:34] 210.102.18.84:1025 -> 12.82.129.211:137
<snip> 

>From what I've seen, you're likely to be scanned from your 209.224.x.x
and 209.224.5x.x somewhat more frequently than any other IP address in
general.

I've had over 530 single probes from unique source IP addresses since
early 09/28/02..


- John
-- 
"It's a troll! Run!^H^H^H^H Laugh!"

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list