[unisog] Increased Activity
dittrich at u.washington.edu
Thu Mar 25 00:19:35 GMT 2004
What you are seeing is probably "phatbot". Check out the following
for more information:
How big is a "dramatic increase?"
> 2745 is the Bagle/Beagle worm (probably variant E - H);
> 3127 is probably MyDoom which uses 3127 or the next available port up
> to 3198
> 6129 is Dameware.
> You can Google for any of these by using "port xxxx virus." 1025 and
> 80 are usually legit but the way you describe the first byte of the DST
> IP staying the same while the other three change indicates something
> like Nimda or Code Red.
> Jason Richardson, J.D., CISSP, CISM, CNE
> Manager, IT Security and Client Development
> Enterprise Systems Support
> Northern Illinois University
> Voice: 815-753-1678
> Fax: 815-753-2555
> jasrich at niu.edu
> >>> "Lang, Michael" <mike.lang at uconn.edu> 3/22/2004 11:44:09 AM >>>
> Hey everyone,
> This is my first post to unisog and I just subscribed, - I hope that
> this isn't repetitive...
> This morning I see a dramatic increase in hosts on our network that are
> scanning for
> tcp 2745
> tcp 1025
> tcp 3127
> tcp 6129
> tcp 80
> The attacked IP is chosen pretty random with the first octet staying
> the same and the last three changing.
> Not only is there a dramatic increase of hosts on our network getting
> this, but I see a lot from the Internet pouring into our network.
> Anyone clue me into what this one is?
> - Mike
> University of Connecticut
Dave Dittrich Information Assurance Researcher,
dittrich at cac.washington.edu The iSchool
http://staff.washington.edu/dittrich Senior Security Engineer, C&C
University of Washington
PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5
More information about the unisog