[unisog] ports 63808, 63809, and 65506?

Kevin T. Shivers kts at umd.edu
Tue Jan 20 20:08:00 GMT 2004

It's a variant of Agobot/Gaobot.  I found a host today doing the same 
thing, connecting to and sitting in #agobot, and having a 
high numbered port that sends a lot of data when I connect to it, I'm 
guessing thats the port that recently infected hosts connect to and the 
worm sends over it's payload since I could decipher some Windows programming 
functions in the gibberish.


Both sites have some info, there are litterally hundreds of variants of 
this guy out there, the SARC link at the top has one of the newest 
versions which is probably what your computers are infected with.  An 
antivirus scan of the system with up to date DAT files should remove it.


Kevin T. Shivers

IT Security Analyst                                CSS4417
Office of Information Technology            (301) 405-8836
University of Maryland, College Park
OIT Security: (301) 226 HACK

On Tue, 20 Jan 2004, Pat Wilson wrote:

> I'm seeing a new (to me, at least) worm today - all of the
> machines which seem to have it share the following symptoms:
>  - slowly, randomly, scanning port 445 on the /16 they're on 
>  - connections to (and often
>  - open tcp ports 63808, 63809, and 65506
>  - a random high-numbered port which amap identifies as speaking
> ftp
>  - a random high-numbered port which sends lots of data when amap
> connects.
> Does this ring a bell for anyone?  I don't have access to the
> hosts themselves (all are running some sort of Microsoft OS), so
> I can't just go look.
> Thanks for any hints - it'd be nice to be able to give the folks
> who _do_ have to clean these up some idea of what it might be.
> Pat Wilson
> Network Security Manager
> UCSD ACS/Network Operations
> paw at ucsd.edu
> 6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015

More information about the unisog mailing list