ports 63808, 63809, and 65506?
paw at noh.ucsd.edu
Tue Jan 20 19:33:50 GMT 2004
I'm seeing a new (to me, at least) worm today - all of the
machines which seem to have it share the following symptoms:
- slowly, randomly, scanning port 445 on the /16 they're on
- connections to 18.104.22.168:9901 (and often 22.214.171.124:6667)
- open tcp ports 63808, 63809, and 65506
- a random high-numbered port which amap identifies as speaking
- a random high-numbered port which sends lots of data when amap
Does this ring a bell for anyone? I don't have access to the
hosts themselves (all are running some sort of Microsoft OS), so
I can't just go look.
Thanks for any hints - it'd be nice to be able to give the folks
who _do_ have to clean these up some idea of what it might be.
Network Security Manager
UCSD ACS/Network Operations
paw at ucsd.edu
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015
More information about the unisog