[Dshield] MyDoom/NoVarg DoS details

Johannes B. Ullrich jullrich at sans.org
Tue Jan 27 23:34:30 GMT 2004


On Tue, 2004-01-27 at 18:03, Pete Cap wrote:
> Johannes,
>  
> I read that the worm listens on TCP 3127-3198.
> Checked out a few of those ports on DShield and noticed that a few of them exhibit the same behavior: generally pretty quiet, enormous spikes, then back to being quiet.  A few of those ports a very noisy, but obviously you see where I'm going with this...is the author scanning for infected machines?  Would be interesting to see if we could capture that traffic and try to get the worm to respond to it

I only looked at 3127 in more detail. This port is overall very quiet,
which makes it easy to look at details (3128 for example is used by
'squid', which people scan for all the time).

After removing some likely false positives, there are a total of 349
sources left. 

Here are sources that scanned port 3127 for more then 2 different days:

+-----------------+-------+
| source          | dates |
+-----------------+-------+
| 062.058.050.220 |     6 |
| 213.180.193.068 |     5 |
| 024.066.103.096 |     5 |
| 064.004.012.201 |     4 |
| 019.195.020.241 |     4 |
| 069.057.158.037 |     3 |
| 200.195.205.114 |     3 |

Sources that hit one or more target:

+-----------------+---------+
| source          | targets |
+-----------------+---------+
| 066.133.152.024 |      35 |
| 213.180.193.068 |       7 |
| 130.239.205.066 |       7 |
| 024.066.103.096 |       6 |
| 200.083.196.045 |       6 |
| 064.004.012.201 |       5 |
| 062.058.050.220 |       5 |


66.133.152.024 is kind of interesting. it scanned 444 and 135 as well.

Maybe I will dump the port 3127 data some place to allow others to look.
its only 1008 packets total.






> .
>  
> In your lab, have you tried communicating with it on the ports it's supposed to open (basic syns etc.)?
>  
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040127/8751606c/attachment.bin


More information about the list mailing list