[Dshield] Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

Matthias Geerdsen matthias at vorlon2.dyndns.org
Wed Apr 21 06:33:02 GMT 2004


On 21.04.2004 04:02, Jeff Kell wrote:

> * listens on two random, high-numbered tcp ports
> * picks a random address within the infected machine's /8 subnet
> * scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral
>   source ports (the source port is not fixed).

That sounds like an Agobot/Gaobot/... variant, we had quite a number of 
infected hosts here too. I found two different variants, it took days 
till the commonly used virus scanners were able to detect both; samples 
were submitted. It seems like the number of tried exploits by the worm 
is growing, lately more ports have been scanned than before.

Matthias



More information about the list mailing list