ports 63808, 63809, and 65506?

Pat Wilson paw at noh.ucsd.edu
Tue Jan 20 19:33:50 GMT 2004


I'm seeing a new (to me, at least) worm today - all of the
machines which seem to have it share the following symptoms:

 - slowly, randomly, scanning port 445 on the /16 they're on 
 - connections to 65.248.27.5:9901 (and often 66.90.87.57:6667)
 - open tcp ports 63808, 63809, and 65506
 - a random high-numbered port which amap identifies as speaking
ftp
 - a random high-numbered port which sends lots of data when amap
connects.

Does this ring a bell for anyone?  I don't have access to the
hosts themselves (all are running some sort of Microsoft OS), so
I can't just go look.

Thanks for any hints - it'd be nice to be able to give the folks
who _do_ have to clean these up some idea of what it might be.

Pat Wilson
Network Security Manager
UCSD ACS/Network Operations
paw at ucsd.edu
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015



More information about the unisog mailing list