[unisog] Re: Coordinated Scan

Ed Zawacki edz at uic.edu
Mon Mar 25 15:28:24 GMT 2002


At 03:30 PM 3/22/2002 -0500, Anderson Johnston wrote:
>On Fri, 22 Mar 2002, Sherry M. Rogers wrote:
>
> >
> > We were one of the campuses with hosts involved in the scan Tracey
> > described.  Our network people blocked a couple of hosts because of what
> > looked like ddos activity and we were able to correlate this with odd
> > packets being flagged by our NIDS (bro) as excessive length ntp/port 123
> > traffic.
> >
> > We identified 13 Windows hosts altogether.  When scanned with nmap there
> > were two interesting ports open - a port 99 which disappeared on
> > subsequent scans, and port 8888.  Connecting to port 8888 revealed that it
> > was running a program written by "darkIRC".
> >


I just checked one of our infected systems. Port 99 is a command shell that
closes after use.

edz

-------------------------------------------------------------------------------------------------------------------------------
Edward Zawacki                                  University of Illinois at 
Chicago
Security Officer                                        (312) 996-0658
ACCC



More information about the unisog mailing list