[unisog] As the worm turns, Slapper variants begin using UDP
ports 4156 and 1978 (instead of 2002)
H. Morrow Long
morrow.long at yale.edu
Sun Sep 22 22:29:40 GMT 2002
Glad to be of any help.
However, the ones I saw at 1978 and 4156 did have the same UDP port for
both source and destination (just like the original Slapper which used 2002).
And "srcport == dstport" is also still the observed behaviour in the ISS
writeup on the new Slapper (Slapper.B) available now at :
Note that the new version has just a few slight differences from the original:
UDP port is 4156
Sends email (IP #, Hostname and upstream infector) to aion at ukr.net
Sets up secondary backdoor trojan port requiring password at TCP port
1052 (there seems to be some confusion as some writeups say 1025).
Different set of filenames in /tmp (httpd is worm bin, update is backdoor
process and .unlock is the gzipped source file for worm & backdoor).
Slapper.B also changes its process name to "httpd", so as to masquerade
as a copy of the Apache web server.
Are you sure that the traffic you saw below is from a Slapper worm variant
(also, I'd sanitize any IP #s before sending 'em out, as the traffic below may
be other legitimate, but private, traffic such as P2P or online gaming.).
Were there any of the other signs of Slapper on the Brandeis host?
Was it scanning Internet hosts, probing TCP ports 80 and 443?
H. Morrow Long
Rich Graves wrote:
> On Sun, 22 Sep 2002, H. Morrow Long wrote:
>>Several (see http://diswww.mit.edu/charon/nanog/52239) have noticed
>>Slapper using UDP port 4156 today (and apparently yesterday as well
> Thanks for the heads up, one down.
> Note it doesn't have the friendly, easy-to-distinguish source = destination
> behavior of the original.
> 129.64.154.X 12.240.146.Y 17 27015 4156 333 2
> 129.64.154.X 61.35.130.Z 17 27015 4156 330 2
> 129.64.154.X 24.95.183.ZZ 17 27015 4156 330 2
More information about the unisog