[unisog] RE: very high Inbound 1025 traffic increase

Landau, Gary glandau at lmu.edu
Fri Apr 1 21:55:52 GMT 2005

We've had a big influx of port 1025 traffic as well.  It appears to be some sort of worm and we've had three Windows 2000 servers infected.  They would run a process call SVHOST (not to be mistaken with SVCHOST) and it would prevent them from installing security patches or running TaskManager.

Cleaning them wasn't easy either.  Our Symantec anti-virus wouldn't detect it, so we had to do a manual cleanup.  We had to boot in safe mode and remove the registry calls that start up the SVHOST process, and then delete the SVHOST file(s).

Gary Landau
Director, Network Services
Loyola Marymount University
glandau at lmu.edu


Message: 3
Date: Thu, 31 Mar 2005 13:51:36 -0600
From: "Harris, Michael C." <HarrisMC at health.missouri.edu>
Subject: RE: [unisog]very high Inbound 1025 traffic increase
To: "UNIversity Security Operations Group" <unisog at lists.sans.org>
	<FFE408772285764C8F15260D3EC52B9401D60865 at UM-EMAIL04.um.umsystem.edu>
Content-Type: text/plain;	charset="iso-8859-1"

Take a look at port 1025 on your border....

Huge ramp up in external inbound traffic tcp port 1025, no capture yet but will forward one as I am able to retrieve one

Mike Harris
System Security Analyst & Instructor
University Of Missouri Health Center
harrismc at health.missouri.edu  KCØPAH

More information about the unisog mailing list