[DShield] 3127/tcp by Doomjuice (Kaspersky) - MyDoom takeover?
areust at comcast.net
Tue Feb 10 00:47:41 GMT 2004
Thursday, I saw an slight increase from 5 snort sensors (different DMZ's)
with Scan Proxy (1080) and Scan Squid Proxy (3128). Same IP's for both
ports. So as this peaked my interest, when I looked showed no payloads.
This I presumed was due to the "lack" of MY doom "NOT" being present.. It
was a scan to see who would respond. Those scans (IP's) were then added to
the ACL's (reject). As I looked this morning there was an increase in
traffic from New IP's
The source port seemed random TCP port and the destination TCP port was
targeted to 3128 or 1080 the packets appear identical.
I hate word wrap but here goes.
<Quote from Snort>
Meta ID # Time Triggered Signature
1 - 44077 2/9/2004 4:46 [snort] SCAN Squid Proxy
Sensor name interface filter
MERIDIAN:DevicePacket (trimed) DevicePacket (trimed) none
IP source addr dest addr Ver Hdr Len
TOS length ID flags offset TTL chksum
4 5 0 52 40273 0 0 115 18521
FQDN Source Name Dest.
p50803625.dip.t-dialin.net Unable to resolve
TCP source dest R R U A P R S
F seq # ack offset res window urp chksum
port port 1 0 R C S S
G K H T N
2221 3128 X
3750972217 0 8 0 32767 0 36193
Options code length data
#1 MSS 2 05A0
#2 NOP 0
#3 WS 1 0
#4 NOP 0
#5 NOP 0
#6 SACKOK 0
At 07:46 PM 2/9/2004 +0100, you wrote:
>I've observed a rapid increase in 3127/tcp scans from seemingly
>random IP's. They're sequentially scanning our IP's, bottom-up.
>These seem to match Kasperky's Doomjuice (published ~ 2 hours ago):
>Details, incl. address generation algorithm:
>Supposedly it also causes a DDoS agains Microsoft.
>Note that this one seems to differ from Symantec's Deadhat:
>According to Symantec's description, Deadhat scans 3127/tcp, 3128/tcp
>and 1080/tcp (I've seen one or two of those).
>Erik van Straten
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
More information about the list