[Dshield] Port 16387

Bill McCarty bmccarty at pt-net.net
Tue Mar 23 16:32:49 GMT 2004

Hi Stephane,

--On Tuesday, March 23, 2004 1:44 PM +0100 Stephane Grobety 
<security at admin.fulgan.com> wrote:

> BM> By any chance, do most of the incoming packets have source port
> BM> 4000? If so, you could be looking at Witty worm traffic.
> Witty uses a random destination port... I should know: it blew up my
> server...

Witty's destination port appears random. But, I've noted that, across my 
Class C, the random value is fixed for a given destination IP. So, a single 
host could get Witty traffic from a variety of infected attackers, all 
targeting a single destination port. That resembles the situation reported 
by Mike.

At least one other observer has reported that Witty sometimes targets 
multiple ports. But, I myself cannot confirm that behavior.


Bill McCarty

More information about the list mailing list