[unisog] Increased Activity (fwd)

Chris Russel russel at yorku.ca
Tue Mar 23 13:38:16 GMT 2004

Our logs picked up the same burst of activity, with the same increment on
the first octet, starting late yesterday afternoon and going to around
7-7:30pm EST when it abrubtly stopped.  We also noticed several (not all)
of these systems also scanning port 135 and trying the MS03-026 exploit.

My guess is it is related to phatbot which tries the dameware and
DCERPC exploits among others.

Even more mysterious is that it seems to have almost entirely stopped
right now - still a couple systems I can see but nothing compared to
yesterday.  This gives me a bad feeling.  Sorry I don't have anything more
useful to say I am just starting to look into it.

I'd love to hear from anyone else who is investigating this stuff.

Chris Russel
Manager, CNS Information Security
York University, Toronto, Canada
russel at yorku.ca

On Mon, 22 Mar 2004, Lang, Michael wrote:

> Hey everyone,
> This is my first post to unisog and I just subscribed, - I hope that this isn't repetitive...
> This morning I see a dramatic increase in hosts on our network that are scanning for
> tcp 2745
> tcp 1025
> tcp 3127
> tcp 6129
> tcp   80
> The attacked IP is chosen pretty random with the first octet staying the same and the last three changing.
> Not only is there a dramatic increase of hosts on our network getting this, but I see a lot from the Internet pouring into our network.
> Anyone clue me into what this one is?
> thanks,
> - Mike
> University of Connecticut

More information about the unisog mailing list