[Dshield] New tool making the rounds: MyDoom scanner

Blake McNeill mcneillb at linklogger.com
Thu Feb 12 21:41:22 GMT 2004


I have seen scans to 3127, 3128, 1080, 10080 as well so I captured one and
it is Deadhat ( PortPeeker capture available here
http://www.LinkLogger.com/deadhat.htm ), so perhaps the AV guys missed the
10080 port.  I have confirmed this behaviour with a couple of other people
as well.

Remember that its not uncommon to see group scans to 3128, 1080, 8080, 6588,
etc as these are common scans for open proxies.  The 10080 I thought was a
very interesting scan however.

Blake
http://www.SonicLogger.com - Logging Software for SonicWall
http://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel


----- Original Message ----- 
From: "Bjorn Stromberg" <bjorn at thechemistrylab.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, February 12, 2004 11:50 AM
Subject: Re: [Dshield] New tool making the rounds: MyDoom scanner


> Keep in mind that I can't see port 3127 so I can't tell if it is included
in
> these scans. Anyone care to identify the different versions responsible
for
> these scans?
>
> http://isc.incidents.org/port_details.html?port=3128
> http://isc.incidents.org/port_details.html?port=1080
> http://isc.incidents.org/port_details.html?port=10080
>
> So far I've seen 4 different variations on the scans. Each increment
through
> IP addresses after sending Syn packets to ports in the following patterns.
>
> First seen on my system: 2004-02-07 22:18:47
> 3128
> 3128
> 1080
> 1080
>
> First seen on my system: 2004-02-08 17:24:55
> 3128
> 3128
> 3128
> 1080
> 1080
> 1080
>
> First seen on my system: 2004-02-10 14:23:11
> 1080
> 3128
>
> First seen on my system: 2004-02-11 18:22:05
> 1080
> 10080
> 3128
>
> Bjorn Stromberg
> ::this is not a sig::
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list