[unisog] Increased Activity

Edward Zawacki edz at uic.edu
Tue Mar 23 17:09:33 GMT 2004

At 11:44 AM 3/22/2004, Lang, Michael wrote:
>Hey everyone,
>This is my first post to unisog and I just subscribed, - I hope that this 
>isn't repetitive...
>This morning I see a dramatic increase in hosts on our network that are 
>scanning for
>tcp 2745
>tcp 1025
>tcp 3127
>tcp 6129
>tcp   80

We're seeing the same thing.

Note that this is one infection causing this as the same IP is probing all 
of these
ports on the target machine before moving on. It's not separate worms as Jason
suggested (thanks for the response though...).

Any idea of what this is would be welcome here as well.

Ed Zawacki

>The attacked IP is chosen pretty random with the first octet staying the 
>same and the last three changing.
>Not only is there a dramatic increase of hosts on our network getting 
>this, but I see a lot from the Internet pouring into our network.
>Anyone clue me into what this one is?
>- Mike
>University of Connecticut

More information about the unisog mailing list