Odd Traffic - Worm Related???

Jason Brooks jbrooks at longwood.edu
Wed Aug 27 17:01:50 GMT 2003

The plague of worms is starting to subside a bit here, allowing us to do a 
bit more analysis of what is going on.  Initially, we were in a reactive 
mode, cutting off access to anyone accessing 4444.  Late last week, we 
started receiving reports of false positive diagnoses with simply looking 
at 4444.  After trying to do more analysis, without a packet capture yet, 
we are noting some interesting phenomena:
     We have observed a large amount of hits to AOL owned IPs with the 
destination port set to 4444.  Of at least two of those machines, both have 
the MS03-026 patch and up to date McAfee DAT files.  Yet, we know of no 
reason that they would be accessing AOL.  AV scans have shown nothing 
infecting the machine.  Netstat output shows nothing talking to a 4444 
port.  And further, the connections seem to occur in threes, generally 
three per minute, even though any port 4444 access is blocked.
     Additionally, we are wondering about the possible use of a P2P client 
called IMesh that could use this port  Has anyone seen this in use that may 
be creating false positive hits?  Other ideas?

Jason Brooks

Jason Brooks
Information Security Technician
116 - B Coyner
Longwood University
201 High Street
Farmville, VA 23901
(434) 395-2796

More information about the unisog mailing list