[Dshield] Port 16387
myates at Washtechnical.com
Tue Mar 23 17:46:07 GMT 2004
----- Original Message -----
From: "Bill McCarty" <bmccarty at pt-net.net>
To: "General DShield Discussion List" <list at dshield.org>; "Stephane Grobety"
<security at admin.fulgan.com>
Sent: Tuesday, March 23, 2004 8:32 AM
Subject: Re: Re: [Dshield] Port 16387
> Hi Stephane,
> --On Tuesday, March 23, 2004 1:44 PM +0100 Stephane Grobety
> <security at admin.fulgan.com> wrote:
> > BM> By any chance, do most of the incoming packets have source port
> > BM> 4000? If so, you could be looking at Witty worm traffic.
> > Witty uses a random destination port... I should know: it blew up my
> > server...
> Witty's destination port appears random. But, I've noted that, across my
> Class C, the random value is fixed for a given destination IP. So, a
> host could get Witty traffic from a variety of infected attackers, all
> targeting a single destination port. That resembles the situation reported
> by Mike.
Very similar to our current situation. It does, however appear to be
targeted as only 1 of my external addresses is getting tagged. Not a single
instance on any other external address.........
> At least one other observer has reported that Witty sometimes targets
> multiple ports. But, I myself cannot confirm that behavior.
> Bill McCarty
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list