[unisog] New worm?

James Massingill jlmassi at earthlink.net
Sat Nov 29 03:38:05 GMT 2003


Ed,

The response seen on port 1019 is a "pubstro".  Most of the time this is
a ftp site opened up on the machine to store warez software etc.  If you
FTP to the port, you will find that it gives you a login prompt.
Anonymous will rarely be allowed (only by accident).  Usually to gain
access to the server remotely one would be given a username / password
by the group who "maintains" the pubstro (ftp) server.  Sometimes the
FTP server is actually used as a backdoor and is set up to give full
administrative access in command line mode, for the attackers later use.

However, I doubt that this port 1019 response is related to the scanning
on port 445 and is probably coincidence.  Of course, I have been wrong
before.

Hope this helps,

James Massingill



#!-----Original Message-----
#!From: Edward Zawacki [mailto:edz at uic.edu] 
#!Sent: Wednesday, November 26, 2003 7:29 AM
#!To: unisog at sans.org
#!Subject: [unisog] New worm?
#!
#!
#!We are seeing a new worm (new to us at least ;).
#!
#!It is scanning random IP addresses on ports 135 and 445. It 
#!has scanned on sequential addresses 4 times though (unless 
#!that was a separate beast).
#!
#!Once a machine is infected, several random ports are opened
#!and at least one of them appears to be attempting to send
#!an executable.
#!
#!On the few we scanned, port 1019 answers with:
#!
#!220 an Cr3w Site^M^M
#!221 l8r...
#!
#!The one machine that we looked at had a registry
#!entry in HKLM../RunServices for "Windows Updater"
#!with a value of "svthost.exe".
#!
#!Norton run on the machine picked up Welchia and
#!quarantined two files. Welchia never scanned on
#!port 445 though...
#!
#!
#!Any ideas as to what this is?
#!
#!Thanks
#!edz
#!



More information about the unisog mailing list