[Dshield] Traffic on 1025, 6129, 2745, 80, 3127
dan at LaTech.edu
Fri Apr 2 03:52:04 GMT 2004
On Thu, 1 Apr 2004, Shawn Cox wrote:
> I should have been a little more careful about the description I provided.
> Here's my daily summary for yesterday. I was just really surprised to see 3500+ hosts start attacking in such a short time frame.
> My previous days submissions was a mere 47,000 packets for the whole day.
> Each of the 3500 IP's attacked the ports 1025, 6129, 2745, 80, 3127 in that order. I guess with 3127 in there it must be some form of MyDoom.
> Port Packets Sources Targets Service Name
> 2745 106883 3459 445 urbisnet URBISNET
> 1025 102081 3429 445 blackjack network blackjack
> 6129 94400 3309 445 dameware Dameware Remote Admin
> 3127 64061 2042 445 mydoom W32/MyDoom, W32.Novarg.A backdoor
As I responded in a personal reply, this has all the characteristics of
the latest Agobot/Gaobot worms. They scan for these ports. From
Symantecs description of w32.gaobot.sa:
Attempts to spread to other computers using a number of methods,
* Sending itself to the backdoor port, which the Beagle family of
* Sending itself to the backdoor port, which the Mydoom family of
* Using the WebDAV vulnerability
* Using the RPC DCOM vulnerability
I locate locally infected systems by watching for the port scanning
pattern you listed for cleaning and patching of infected systems..
More information about the list