[Dshield] Port 16387

Mike Yates myates at Washtechnical.com
Tue Mar 23 17:46:07 GMT 2004

----- Original Message ----- 
From: "Bill McCarty" <bmccarty at pt-net.net>
To: "General DShield Discussion List" <list at dshield.org>; "Stephane Grobety"
<security at admin.fulgan.com>
Sent: Tuesday, March 23, 2004 8:32 AM
Subject: Re: Re[2]: [Dshield] Port 16387

> Hi Stephane,
> --On Tuesday, March 23, 2004 1:44 PM +0100 Stephane Grobety
> <security at admin.fulgan.com> wrote:
> > BM> By any chance, do most of the incoming packets have source port
> > BM> 4000? If so, you could be looking at Witty worm traffic.
> >
> > Witty uses a random destination port... I should know: it blew up my
> > server...
> Witty's destination port appears random. But, I've noted that, across my
> Class C, the random value is fixed for a given destination IP. So, a
> host could get Witty traffic from a variety of infected attackers, all
> targeting a single destination port. That resembles the situation reported
> by Mike.

Very similar to our current situation.  It does, however appear to be
targeted as only 1 of my external addresses is getting tagged.  Not a single
instance on any other external address.........

> At least one other observer has reported that Witty sometimes targets
> multiple ports. But, I myself cannot confirm that behavior.
> Cheers,
> ---------------------------------------------------
> Bill McCarty
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list