[unisog] As the worm turns, Slapper variants begin using UDP ports 4156 and 1978 (instead of 2002)
baldwinL at mynetwatchman.com
Mon Sep 23 21:19:41 GMT 2002
Firewalls in our sensor network logged a significant volume of udp/4156
probes today (7500+ unique source Ips) targetting a one specific IP within
our participant's network. These probes were blocked due to pre-existing
After further investigation, it was determined that the target host was
compromised with Slapper.B (tcp/80 and tcp/443 WERE allowed).
Even unsuccessful udp/4156 probes from a high number of distinct source IPs
may be a strong indication that the *target* IP is compromised.
I'm in the process of emailing the owners of the 7500 hosts that were
attempting to communicate with the compromised host as they are likely
compromised as well...that list consisted of a high number of academic
I have not seen any udp/1978 probes...yet.
The Internet Neighborhood Watch
From: H. Morrow Long [mailto:morrow.long at yale.edu]
Sent: Sunday, September 22, 2002 18:30
To: Rich Graves
Cc: unisog at sans.org; itsiso.staff at yale.edu;
information.security at med.yale.edu
Subject: Re: [unisog] As the worm turns, Slapper variants begin using
UDP ports 4156 and 1978 (instead of 2002)
Glad to be of any help.
However, the ones I saw at 1978 and 4156 did have the same UDP port for
both source and destination (just like the original Slapper which used
And "srcport == dstport" is also still the observed behaviour in the ISS
writeup on the new Slapper (Slapper.B) available now at :
Note that the new version has just a few slight differences from the
UDP port is 4156
Sends email (IP #, Hostname and upstream infector) to aion at ukr.net
Sets up secondary backdoor trojan port requiring password at TCP port
1052 (there seems to be some confusion as some writeups say 1025).
Different set of filenames in /tmp (httpd is worm bin, update is backdoor
process and .unlock is the gzipped source file for worm & backdoor).
Slapper.B also changes its process name to "httpd", so as to masquerade
as a copy of the Apache web server.
Are you sure that the traffic you saw below is from a Slapper worm variant
(also, I'd sanitize any IP #s before sending 'em out, as the traffic below
be other legitimate, but private, traffic such as P2P or online gaming.).
Were there any of the other signs of Slapper on the Brandeis host?
Was it scanning Internet hosts, probing TCP ports 80 and 443?
H. Morrow Long
More information about the unisog