Odd Traffic - Worm Related???
jbrooks at longwood.edu
Wed Aug 27 17:01:50 GMT 2003
The plague of worms is starting to subside a bit here, allowing us to do a
bit more analysis of what is going on. Initially, we were in a reactive
mode, cutting off access to anyone accessing 4444. Late last week, we
started receiving reports of false positive diagnoses with simply looking
at 4444. After trying to do more analysis, without a packet capture yet,
we are noting some interesting phenomena:
We have observed a large amount of hits to AOL owned IPs with the
destination port set to 4444. Of at least two of those machines, both have
the MS03-026 patch and up to date McAfee DAT files. Yet, we know of no
reason that they would be accessing AOL. AV scans have shown nothing
infecting the machine. Netstat output shows nothing talking to a 4444
port. And further, the connections seem to occur in threes, generally
three per minute, even though any port 4444 access is blocked.
Additionally, we are wondering about the possible use of a P2P client
called IMesh that could use this port Has anyone seen this in use that may
be creating false positive hits? Other ideas?
Information Security Technician
116 - B Coyner
201 High Street
Farmville, VA 23901
More information about the unisog