[unisog] Odd Traffic - Worm Related???

H. Morrow Long morrow.long at yale.edu
Wed Aug 27 20:45:25 GMT 2003

Also Napster used TCP port 4444 (as well as 5555, 6666, 7777, etc.)
and there are still OpenNAP servers (http://www.napigator.com/servers/)
and clients running the Napster protocol (http://opennap.sourceforge.net/).

- Morrow

Jason Brooks wrote:

> The plague of worms is starting to subside a bit here, allowing us to do 
> a bit more analysis of what is going on.  Initially, we were in a 
> reactive mode, cutting off access to anyone accessing 4444.  Late last 
> week, we started receiving reports of false positive diagnoses with 
> simply looking at 4444.  After trying to do more analysis, without a 
> packet capture yet, we are noting some interesting phenomena:
>     We have observed a large amount of hits to AOL owned IPs with the 
> destination port set to 4444.  Of at least two of those machines, both 
> have the MS03-026 patch and up to date McAfee DAT files.  Yet, we know 
> of no reason that they would be accessing AOL.  AV scans have shown 
> nothing infecting the machine.  Netstat output shows nothing talking to 
> a 4444 port.  And further, the connections seem to occur in threes, 
> generally three per minute, even though any port 4444 access is blocked.
>     Additionally, we are wondering about the possible use of a P2P 
> client called IMesh that could use this port  Has anyone seen this in 
> use that may be creating false positive hits?  Other ideas?
> Thanks,
> Jason Brooks
> Jason Brooks
> Information Security Technician
> 116 - B Coyner
> Longwood University
> 201 High Street
> Farmville, VA 23901
> (434) 395-2796

More information about the unisog mailing list