[Dshield] Korgo Infections at 50%

Blake McNeill mcneillb at linklogger.com
Sat Jun 12 16:05:31 GMT 2004


I thought I'd return the favour of the 2050 systems which scanned my port
445 on June 10th (local date/time) and scan them back looking for worm
signatures in open ports. Of course since the scan was performed 1 am on
June 11 so some of the systems scanned are not the same system that scanned
me etc, but it is just an experiment and I'll live with the various
imperfections in order to get an idea as to what is out there.

Of the 2050 systems I found 605 systems (which responded to an ICMP ping).
Here is a rough break down of the interesting open ports I found (I scanned
for 36 TCP ports and 8 UDP ports).

396 - TCP Port 1025
367 - TCP Port 445
366 - TCP Port 5000
299 - TCP Port 113 (Korgo)
279 - TCP Port 3067 (Korgo)
271 - TCP Port 123
55 - TCP Port 22
40 - TCP Port 80
18 - TCP Port 21
16 - TCP Port 25
15 - TCP Port 1023 (Sasser.G)
10 - TCP Port 110
9 - TCP Port 5554 (Sasser)
9 - TCP Port 1022 (Sasser.G)
5 - TCP Port 9996 (Sasser)
5 - TCP Port 559
3 - TCP Port 4444 (MSBlast)
3 - TCP Port 1433
2 - TCP Port 8967 (Dabber)
1 - TCP Port 65506
1 - TCP Port 3127 - oh how the might have fallen

So roughly half of the systems I scanned showed a Korgo port signature
(113/3067).

One system was totally amazing for open ports (please tell me this is a
honey pot).
29 open TCP ports: 22, 25, 80, 110, 113, 119, 135, 139, 420, 445, 559, 1022,
1023, 1025, 1433, 2041, 2745, 3067, 3127, 4444, 5000, 5300, 6129, 8967,
9898, 9996, 9999, 28856, 65506
1 open UDP ports: 137

Blake
http://www.LinkLogger.com




More information about the list mailing list