[unisog] IRCd 6667 followed by 445 SYN scan

Ken Connelly Ken.Connelly at uni.edu
Fri Apr 4 12:14:50 GMT 2003


Fits right in with the large increase in SYN scans for 445 that I've 
seen knocking on the door here:

    * prior to March 22, generally fewer than 100,000 packets/day
    * since then...
          o 3/23  267,409
          o 3/24  278,897
          o 3/25  519,641
          o 3/26  405,320
          o 3/27  630,725
          o 3/28  535,195
          o 3/29  1,035,126
          o 3/30  886,477
          o 3/31  708,002
          o 4/1    678,815
          o 4/2    107,944
          o 4/3    7,922

Perhaps the tide has turned?  Or, after looking at dshield, perhaps not. 
 What I'm seeing certainly doesn't reflect the big picture as seen there.

- ken

Harris, Michael C. wrote:

>Any one else seeing compromised machines that are doing outbound SYN scans port 445 and are under control via irc port 6667?  blocking the 6667 traffic stops the scanning.  Compromised hosts show positive infection of W32Kwbot.E.Worm as per NAV but forensics show this as a different virus/worm. I have confirmed this is not Deloder or Netspree as well.  
> 
>A file named "Yes Uninstaller.exe" found on compromised hosts written to Windows and system32 directories at the moment of compromise.
>
>	Created directories:
>	C:\WINDOWS\System32\drivers\media\cat32
>	C:\WINDOWS\System32\drivers\media
>	Installed files:
>	C:\WINDOWS\System32\drivers\media\cat32\delttsul.exe
>	C:\WINDOWS\System32\drivers\media\cat32\doskey.exe
>	C:\WINDOWS\System32\drivers\media\cat32\usrmgr.exe
>	C:\WINDOWS\System32\drivers\media\cat32\tifflt.dll
>	C:\WINDOWS\System32\drivers\media\cat32\termsrv.exe
>	C:\WINDOWS\System32\drivers\media\cat32\TAPI.EXE
>	C:\WINDOWS\System32\drivers\media\cat32\services.exe
>	C:\WINDOWS\System32\drivers\media\cat32\rcfg.ini
>	C:\WINDOWS\System32\drivers\media\cat32\oissq400.dll
>	C:\WINDOWS\System32\drivers\media\cat32\ntds.dit
>	C:\WINDOWS\System32\drivers\media\cat32\ntbooks.exe
>	C:\WINDOWS\System32\drivers\media\cat32\hlink.bat
>	C:\WINDOWS\System32\drivers\media\cat32\faxocm.bat
>	C:\WINDOWS\System32\drivers\media\cat32\wmvdmoe2.dll
>	Created registry values:
>	Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
>	Value: Services
>	
>
>	Mike 
>
>	-------------------------------------------------- 
>	Michael C Harris 
>	System Security Analyst 
>	University of Missouri Health Center 
>
>	harrismc at health.missouri.edu 
>	-------------------------------------------------- 
>
>
>
>  
>

-- 
- Ken
===========================================================================
Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services
University of Northern Iowa                     Cedar Falls, IA  50614-0121
email: Ken.Connelly at uni.edu    phone: (319) 273-5850    fax: (319) 273-7373






More information about the unisog mailing list