[Dshield] New tool making the rounds: MyDoom scanner

Bjorn Stromberg bjorn at thechemistrylab.com
Thu Feb 12 18:50:30 GMT 2004


Keep in mind that I can't see port 3127 so I can't tell if it is included in
these scans. Anyone care to identify the different versions responsible for
these scans?

http://isc.incidents.org/port_details.html?port=3128
http://isc.incidents.org/port_details.html?port=1080
http://isc.incidents.org/port_details.html?port=10080

So far I've seen 4 different variations on the scans. Each increment through
IP addresses after sending Syn packets to ports in the following patterns.

First seen on my system: 2004-02-07 22:18:47
3128
3128
1080
1080

First seen on my system: 2004-02-08 17:24:55
3128
3128
3128
1080
1080
1080

First seen on my system: 2004-02-10 14:23:11
1080
3128

First seen on my system: 2004-02-11 18:22:05
1080
10080
3128

Bjorn Stromberg
::this is not a sig::




More information about the list mailing list