[unisog] Increased Activity

Joseph Tam tam at math.ubc.ca
Thu Mar 25 02:39:31 GMT 2004


On Mon, 22 Mar 2004, Jason Richardson wrote:

>> This morning I see a dramatic increase in hosts on our network that are
>> scanning for
>>
>> tcp 2745
>> tcp 1025
>> tcp 3127
>> tcp 6129
>> tcp   80
>> 2745 is the Bagle/Beagle worm (probably variant E - H);
>> 3127 is probably MyDoom which uses 3127 or the next available port up
>> to 3198
>> 6129 is Dameware.
>
> You can Google for any of these by using "port xxxx virus."  1025 and
> 80 are usually legit but the way you describe the first byte of the DST
> IP staying the same while the other three change indicates something
> like Nimda or Code Red.

I'm seeing these combo scans too.  I Google search turned up suspicions that it
may be a variant of the Agobot backdoor.  For example,

	http://www.f-secure.com/v-descs/agobot_fo.shtml

Joseph Tam <tam at math.ubc.ca>



More information about the unisog mailing list