[unisog] As the worm turns, Slapper variants begin using UDP ports 4156 and 1978 (instead of 2002)

H. Morrow Long morrow.long at yale.edu
Sun Sep 22 22:29:40 GMT 2002


Glad to be of any help.

However, the ones I saw at 1978 and 4156 did have the same UDP port for
both source and destination (just like the original Slapper which used 2002).

And "srcport == dstport" is also still the observed behaviour in the ISS
writeup on the new Slapper (Slapper.B) available now at :

  http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21184

Note that the new version has just a few slight differences from the original:
	UDP port is 4156
	Sends email (IP #, Hostname and upstream infector) to aion at ukr.net
	Sets up secondary backdoor trojan port requiring password at TCP port
		1052 (there seems to be some confusion as some writeups say 1025).
	Different set of filenames in /tmp (httpd is worm bin, update is backdoor
		process and .unlock is the gzipped source file for worm & backdoor).
	Slapper.B also changes its process name to "httpd", so as to masquerade
		as a copy of the Apache web server.

Are you sure that the traffic you saw below is from a Slapper worm variant
(also, I'd sanitize any IP #s before sending 'em out, as the traffic below may
be other legitimate, but private, traffic such as P2P or online gaming.).

Were there any of the other signs of Slapper on the Brandeis host?
Was it scanning Internet hosts, probing TCP ports 80 and 443?

H. Morrow Long


Rich Graves wrote:
> On Sun, 22 Sep 2002, H. Morrow Long wrote:
> 
> 
>>Several (see http://diswww.mit.edu/charon/nanog/52239) have noticed
>>Slapper using UDP port 4156 today (and apparently yesterday as well
> 
> 
> Thanks for the heads up, one down.
> 
> Note it doesn't have the friendly, easy-to-distinguish source = destination 
> behavior of the original.
> 
> 129.64.154.X    12.240.146.Y    17    27015    4156     333         2         
> 129.64.154.X    61.35.130.Z     17    27015    4156     330         2         
> 129.64.154.X    24.95.183.ZZ    17    27015    4156     330         2         




More information about the unisog mailing list