[unisog] 10.10.10.10:36278

Paul Dokas dokas at cs.umn.edu
Thu Feb 19 02:46:16 GMT 2004


On Wed, 18 Feb 2004 15:50:48 -0600, Paul Dokas <dokas at cs.umn.edu> wrote:
> On Wed, 18 Feb 2004 14:13:46 -0500 "Fred Portnoy" <fportnoy at mail.plymouth.edu> wrote:
> > Has anyone seen something like this? I've stopped over 14,000 of these in
> > the last hour coming out of our ResNet. Here's a sample:
> > 
> > 14:02:49.983715 resnet172-163.zzzz.xxxx.2274 > 10.10.10.10.36278: S
> > 348716395:348716395(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> > 14:02:50.027129 resnet172-163.zzzz.xxxx.2278 > 10.10.10.10.36278: S
> > 351253825:351253825(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> > 14:02:50.514267 resnet168-238.zzzz.xxxx.4029 > 10.10.10.10.36278: S
> > 450499653:450499653(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> > 14:02:50.660068 resnet172-163.zzzz.xxxx.2279 > 10.10.10.10.36278: S
> > 351456133:351456133(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> > 14:02:51.104998 resnet172-163.zzzz.xxxx.2275 > 10.10.10.10.36278: S
> > 349055959:349055959(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> > 14:02:51.208971 resnet172-163.zzzz.xxxx.2280 > 10.10.10.10.36278: S
> > 351634594:351634594(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> > 
> > tia
> > 
> > -fp
> 
> I've finally managed to get a copy of a worm/virus that does this.

Following up my own email, I've realized that I was wrong.  The worm that
I found was *not* creating traffic to 10.10.10.10 36278/TCP.  What I
found sends to 10.10.10.10 6667/TCP.  However, given the nature of both
of these:

 + about the same number of connection attempts to 10.10.10.10 per minute
 + both associated with a P2P
 + both found on relatively unsecured machines

I strongly suspect that the 10.10.10.10 36278/TCP traffic is worm/virus
related.

Paul
-- 
Paul Dokas                                            dokas at cs.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."



More information about the unisog mailing list