[Dshield] Port 16387
myates at Washtechnical.com
Tue Mar 23 18:37:42 GMT 2004
----- Original Message -----
From: "John Sage" <jsage at finchhaven.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Tuesday, March 23, 2004 9:24 AM
Subject: Re: [Dshield] Port 16387
> On Tue, Mar 23, 2004 at 01:44:32PM +0100, Stephane Grobety wrote:
> > Date: Tue, 23 Mar 2004 13:44:32 +0100
> > From: Stephane Grobety <security at admin.fulgan.com>
> > To: General DShield Discussion List <list at dshield.org>
> > Subject: Re: [Dshield] Port 16387
> > BM> By any chance, do most of the incoming packets have source port
> > BM> 4000? If so, you could be looking at Witty worm traffic.
> > Witty uses a random destination port... I should know: it blew up my
> > server...
> There are indications that the destination port, although *chosen*
> randomly or by some sort of algorithm related to the destination IP
> address, remains constant for a given destination IP address once
> I have only seen witty packets to my UDP:7141, for example..
But would 48 seperate inbounds (from all over the planet) be using the same
target port for a given destination address? This would imply either 1) a
coordination or 2) a freak chance and I should buy a lottery ticket :-)
> - John
> "Mad cow? You'd be mad too, if someone was trying to eat you."
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list