[DShield] 3127/tcp by Doomjuice (Kaspersky) - MyDoom takeover?
doug at clickdoug.com
Mon Feb 9 20:25:01 GMT 2004
Here is a capture on a 3127 probe.
Apparently from a dynamic IP in Australia.
Packets are varying lengths.
Anyone know how to translate these, I would appreciate the information
Stop spam on your domain, Anti-spam solutions
For hosting solutions http://www.clickdoug.com
Aspire to Inspire before you Retire or Expire!
----- Original Message -----
From: "Erik van Straten" <emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl>
To: <list at dshield.org>
Sent: Monday, February 09, 2004 12:46 PM
Subject: [DShield] 3127/tcp by Doomjuice (Kaspersky) - MyDoom takeover?
: I've observed a rapid increase in 3127/tcp scans from seemingly
: random IP's. They're sequentially scanning our IP's, bottom-up.
: These seem to match Kasperky's Doomjuice (published ~ 2 hours ago):
: Details, incl. address generation algorithm:
: Supposedly it also causes a DDoS agains Microsoft.
: Note that this one seems to differ from Symantec's Deadhat:
: According to Symantec's description, Deadhat scans 3127/tcp, 3128/tcp
: and 1080/tcp (I've seen one or two of those).
: Erik van Straten
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the list