[unisog] ports 63808, 63809, and 65506?
Kevin T. Shivers
kts at umd.edu
Tue Jan 20 20:08:00 GMT 2004
It's a variant of Agobot/Gaobot. I found a host today doing the same
thing, connecting to 18.104.22.168:9900 and sitting in #agobot, and having a
high numbered port that sends a lot of data when I connect to it, I'm
guessing thats the port that recently infected hosts connect to and the
worm sends over it's payload since I could decipher some Windows programming
functions in the gibberish.
Both sites have some info, there are litterally hundreds of variants of
this guy out there, the SARC link at the top has one of the newest
versions which is probably what your computers are infected with. An
antivirus scan of the system with up to date DAT files should remove it.
Kevin T. Shivers
IT Security Analyst CSS4417
Office of Information Technology (301) 405-8836
University of Maryland, College Park
OIT Security: (301) 226 HACK
On Tue, 20 Jan 2004, Pat Wilson wrote:
> I'm seeing a new (to me, at least) worm today - all of the
> machines which seem to have it share the following symptoms:
> - slowly, randomly, scanning port 445 on the /16 they're on
> - connections to 22.214.171.124:9901 (and often 126.96.36.199:6667)
> - open tcp ports 63808, 63809, and 65506
> - a random high-numbered port which amap identifies as speaking
> - a random high-numbered port which sends lots of data when amap
> Does this ring a bell for anyone? I don't have access to the
> hosts themselves (all are running some sort of Microsoft OS), so
> I can't just go look.
> Thanks for any hints - it'd be nice to be able to give the folks
> who _do_ have to clean these up some idea of what it might be.
> Pat Wilson
> Network Security Manager
> UCSD ACS/Network Operations
> paw at ucsd.edu
> 6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015
More information about the unisog