[unisog] Increased Activity

Dave Dittrich dittrich at u.washington.edu
Thu Mar 25 00:19:35 GMT 2004


What you are seeing is probably "phatbot".  Check out the following
for more information:

	http://www.washingtonpost.com/wp-dyn/articles/A3211-2004Mar17.html
	http://www.us-cert.gov/cas/alerts/SA04-079A.html
	http://www.lurhq.com/phatbot.html

How big is a "dramatic increase?"


> 2745 is the Bagle/Beagle worm (probably variant E - H);
> 3127 is probably MyDoom which uses 3127 or the next available port up
> to 3198
> 6129 is Dameware.
>
> You can Google for any of these by using "port xxxx virus."  1025 and
> 80 are usually legit but the way you describe the first byte of the DST
> IP staying the same while the other three change indicates something
> like Nimda or Code Red.
>
> ---
> Jason Richardson, J.D., CISSP, CISM, CNE
> Manager, IT Security and Client Development
> Enterprise Systems Support
> Northern Illinois University
> Voice: 815-753-1678
> Fax: 815-753-2555
> jasrich at niu.edu
>
> >>> "Lang, Michael" <mike.lang at uconn.edu> 3/22/2004 11:44:09 AM >>>
> Hey everyone,
>
> This is my first post to unisog and I just subscribed, - I hope that
> this isn't repetitive...
>
> This morning I see a dramatic increase in hosts on our network that are
> scanning for
>
> tcp 2745
> tcp 1025
> tcp 3127
> tcp 6129
> tcp   80
>
> The attacked IP is chosen pretty random with the first octet staying
> the same and the last three changing.
>
> Not only is there a dramatic increase of hosts on our network getting
> this, but I see a lot from the Internet pouring into our network.
>
> Anyone clue me into what this one is?
>
> thanks,
>
> - Mike
>
> University of Connecticut
>

--
Dave Dittrich                           Information Assurance Researcher,
dittrich at cac.washington.edu             The iSchool
http://staff.washington.edu/dittrich    Senior Security Engineer, C&C
                                        University of Washington
PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5



More information about the unisog mailing list