[unisog] Odd Traffic - Worm Related???
H. Morrow Long
morrow.long at yale.edu
Wed Aug 27 20:45:25 GMT 2003
Also Napster used TCP port 4444 (as well as 5555, 6666, 7777, etc.)
and there are still OpenNAP servers (http://www.napigator.com/servers/)
and clients running the Napster protocol (http://opennap.sourceforge.net/).
Jason Brooks wrote:
> The plague of worms is starting to subside a bit here, allowing us to do
> a bit more analysis of what is going on. Initially, we were in a
> reactive mode, cutting off access to anyone accessing 4444. Late last
> week, we started receiving reports of false positive diagnoses with
> simply looking at 4444. After trying to do more analysis, without a
> packet capture yet, we are noting some interesting phenomena:
> We have observed a large amount of hits to AOL owned IPs with the
> destination port set to 4444. Of at least two of those machines, both
> have the MS03-026 patch and up to date McAfee DAT files. Yet, we know
> of no reason that they would be accessing AOL. AV scans have shown
> nothing infecting the machine. Netstat output shows nothing talking to
> a 4444 port. And further, the connections seem to occur in threes,
> generally three per minute, even though any port 4444 access is blocked.
> Additionally, we are wondering about the possible use of a P2P
> client called IMesh that could use this port Has anyone seen this in
> use that may be creating false positive hits? Other ideas?
> Jason Brooks
> Jason Brooks
> Information Security Technician
> 116 - B Coyner
> Longwood University
> 201 High Street
> Farmville, VA 23901
> (434) 395-2796
More information about the unisog