Sobig.f detection inconsistencies
thomasj4+unisog at oak.cats.ohiou.edu
Fri Aug 22 21:45:08 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Until recently we have been identifying the IPs for SoBig.f infected hosts
by checking the source IPs in MailScanner logs as well as logging outbound
After 19:00 UTC, we also began seeing IPs attempting to make outbound
(Obfuscated Source IP, EDT time)
22 Aug 03 15:05:19 udp xxx.xxx.xxx.xxx.1033 -> 220.127.116.11.8998
22 Aug 03 15:07:49 udp xxx.xxx.xxx.xxx.1033 -> 18.104.22.168.8998
22 Aug 03 15:08:02 udp xxx.xxx.xxx.xxx.1445 -> 22.214.171.124.8998
22 Aug 03 15:08:07 udp xxx.xxx.xxx.xxx.3836 -> 126.96.36.199.8998
22 Aug 03 15:08:08 udp xxx.xxx.xxx.xxx.3103 -> 188.8.131.52.8998
To my surprise, none of the source IPs of UDP/8998 attempts appeared in
the list of hosts that I believed to be infected with SoBig.f at the time
based on MailScanner and SMTP logs.
I suppose the UDP/8998 connections could not be the work of the worm at
all, but instead curious people trying to see if the twenty master
servers were available, but I doubt it.
I also cant explain why machines I suspected to be infected were not seen
in the UDP/8998 list.
As for our defense against the worm, we are filtering inbound UDP traffic
on port 995-999 and 8998 per
http://isc.sans.org/diary.html?date=2003-08-22, but not outbound.
Anyone else seeing similar traffic?
Communication Network Services
Athens, Ohio 45701
security at ohio.edu
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v2.0
Comment: processed by Mulberry PGP Plugin
-----END PGP SIGNATURE-----
More information about the unisog