[Dshield] New tool making the rounds: MyDoom scanner

Bjorn Stromberg bjorn at thechemistrylab.com
Mon Feb 9 16:38:44 GMT 2004


Looks like there is a new tool making the rounds this weekend.

I haven't got any packet captures but it looks like it's crawling IP
Addresses and probing ports 3128 and 1080.

I've got four instances of it sending SYN packets twice and one instance of
it sending in groups of three. I would guess these are spammers / crackers
looking for new open proxies to do their nefarious deeds.

I'll open up my packet logger and see if I can catch what they're saying.

Relevant Logs Follow:
2004-02-09 12:29:04 81.50.168.153 aaa.bbb.ccc.194 Tcp 3133 3128 SYN
2004-02-09 12:29:06 81.50.168.153 aaa.bbb.ccc.194 Tcp 3133 3128 SYN
2004-02-09 12:29:12 81.50.168.153 aaa.bbb.ccc.194 Tcp 3769 1080 SYN
2004-02-09 12:29:15 81.50.168.153 aaa.bbb.ccc.194 Tcp 3769 1080 SYN
2004-02-09 12:29:28 81.50.168.153 aaa.bbb.ccc.195 Tcp 1273 3128 SYN
2004-02-09 12:29:31 81.50.168.153 aaa.bbb.ccc.195 Tcp 1273 3128 SYN
2004-02-09 12:29:35 81.50.168.153 aaa.bbb.ccc.195 Tcp 1785 1080 SYN
2004-02-09 12:29:38 81.50.168.153 aaa.bbb.ccc.195 Tcp 1785 1080 SYN
2004-02-09 12:29:50 81.50.168.153 aaa.bbb.ccc.196 Tcp 3062 3128 SYN
2004-02-09 12:29:53 81.50.168.153 aaa.bbb.ccc.196 Tcp 3062 3128 SYN
2004-02-09 12:29:59 81.50.168.153 aaa.bbb.ccc.196 Tcp 3723 1080 SYN
2004-02-09 12:30:01 81.50.168.153 aaa.bbb.ccc.196 Tcp 3723 1080 SYN
2004-02-09 12:30:16 81.50.168.153 aaa.bbb.ccc.197 Tcp 2130 3128 SYN
2004-02-09 12:30:18 81.50.168.153 aaa.bbb.ccc.197 Tcp 2130 3128 SYN
2004-02-09 12:30:24 81.50.168.153 aaa.bbb.ccc.197 Tcp 2837 1080 SYN
2004-02-09 12:30:27 81.50.168.153 aaa.bbb.ccc.197 Tcp 2837 1080 SYN
2004-02-09 12:30:40 81.50.168.153 aaa.bbb.ccc.198 Tcp 4323 3128 SYN
2004-02-09 12:30:42 81.50.168.153 aaa.bbb.ccc.198 Tcp 4323 3128 SYN
2004-02-09 12:30:46 81.50.168.153 aaa.bbb.ccc.198 Tcp 1112 1080 SYN
2004-02-09 12:30:50 81.50.168.153 aaa.bbb.ccc.198 Tcp 1112 1080 SYN

Bjorn Stromberg
::this is not a sig::




More information about the list mailing list