[Dshield] Port 16387

Mike Yates myates at Washtechnical.com
Tue Mar 23 18:37:42 GMT 2004


----- Original Message ----- 
From: "John Sage" <jsage at finchhaven.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Tuesday, March 23, 2004 9:24 AM
Subject: Re: [Dshield] Port 16387


> On Tue, Mar 23, 2004 at 01:44:32PM +0100, Stephane Grobety wrote:
> > Date: Tue, 23 Mar 2004 13:44:32 +0100
> > From: Stephane Grobety <security at admin.fulgan.com>
> > To: General DShield Discussion List <list at dshield.org>
> > Subject: Re[2]: [Dshield] Port 16387
> >
> > BM> By any chance, do most of the incoming packets have source port
> > BM> 4000? If so, you could be looking at Witty worm traffic.
> >
> > Witty uses a random destination port... I should know: it blew up my
> > server...
>
> There are indications that the destination port, although *chosen*
> randomly or by some sort of algorithm related to the destination IP
> address, remains constant for a given destination IP address once
> chosen.
>
> I have only seen witty packets to my UDP:7141, for example..

But would 48 seperate inbounds (from all over the planet) be using the same
target port for a given destination address?  This would imply either 1) a
coordination or 2) a freak chance and I should buy a lottery ticket :-)

>
>
> - John
> -- 
> "Mad cow? You'd be mad too, if someone was trying to eat you."
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list