[Dshield] Port 16387

John Sage jsage at finchhaven.com
Tue Mar 23 17:24:56 GMT 2004


On Tue, Mar 23, 2004 at 01:44:32PM +0100, Stephane Grobety wrote:
> Date: Tue, 23 Mar 2004 13:44:32 +0100
> From: Stephane Grobety <security at admin.fulgan.com>
> To: General DShield Discussion List <list at dshield.org>
> Subject: Re[2]: [Dshield] Port 16387
> 
> BM> By any chance, do most of the incoming packets have source port
> BM> 4000? If so, you could be looking at Witty worm traffic.
> 
> Witty uses a random destination port... I should know: it blew up my
> server...

There are indications that the destination port, although *chosen*
randomly or by some sort of algorithm related to the destination IP
address, remains constant for a given destination IP address once
chosen.

I have only seen witty packets to my UDP:7141, for example..


- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list