[unisog] Increased Activity

Jason Richardson A00JER1 at wpo.cso.niu.edu
Tue Mar 23 02:48:19 GMT 2004

Hi Mike,

2745 is the Bagle/Beagle worm (probably variant E - H);
3127 is probably MyDoom which uses 3127 or the next available port up
to 3198
6129 is Dameware.

You can Google for any of these by using "port xxxx virus."  1025 and
80 are usually legit but the way you describe the first byte of the DST
IP staying the same while the other three change indicates something
like Nimda or Code Red.

Jason Richardson, J.D., CISSP, CISM, CNE
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich at niu.edu

>>> "Lang, Michael" <mike.lang at uconn.edu> 3/22/2004 11:44:09 AM >>>
Hey everyone,

This is my first post to unisog and I just subscribed, - I hope that
this isn't repetitive...

This morning I see a dramatic increase in hosts on our network that are
scanning for 

tcp 2745
tcp 1025
tcp 3127
tcp 6129
tcp   80

The attacked IP is chosen pretty random with the first octet staying
the same and the last three changing.

Not only is there a dramatic increase of hosts on our network getting
this, but I see a lot from the Internet pouring into our network.

Anyone clue me into what this one is?


- Mike

University of Connecticut

More information about the unisog mailing list