[Dshield] Traffic on 1025, 6129, 2745, 80, 3127

Danny Schales dan at LaTech.edu
Fri Apr 2 03:52:04 GMT 2004


On Thu, 1 Apr 2004, Shawn Cox wrote:

> I should have been a little more careful about the description I provided.
>
> Here's my daily summary for yesterday.  I was just really surprised to see 3500+ hosts start attacking in such a short time frame.
> My previous days submissions was a mere 47,000 packets for the whole day.
> Each of the 3500 IP's attacked the ports 1025, 6129, 2745, 80, 3127 in that order.  I guess with 3127 in there it must be some form of MyDoom.
>
>
>       Port Packets Sources Targets Service Name
>       2745 106883 3459 445 urbisnet   URBISNET
>       1025 102081 3429 445 blackjack   network blackjack
>       6129 94400 3309 445 dameware   Dameware Remote Admin
>       3127 64061 2042 445 mydoom   W32/MyDoom, W32.Novarg.A backdoor
>

As I responded in a personal reply, this has all the characteristics of
the latest Agobot/Gaobot worms.  They scan for these ports.  From
Symantecs description of w32.gaobot.sa:

Attempts to spread to other computers using a number of methods,
including:

    * Sending itself to the backdoor port, which the Beagle family of
worms opens
    * Sending itself to the backdoor port, which the Mydoom family of
worms opens
    * Using the WebDAV vulnerability
    * Using the RPC DCOM vulnerability

I locate locally infected systems by watching for the port scanning
pattern you listed for cleaning and patching of infected systems..

Danny




More information about the list mailing list