[unisog] Re: Possible new virus running

Peter Van Epp vanepp at sfu.ca
Wed Feb 2 06:05:50 GMT 2005


	Still don't know what it is (several AV programs find nothing but the
machine is still infected), but it is calling home to port 30591 on a variety
of hosts (many of them apparantly web hosting sites such as theplanet.com)
after which they start scanning for port 445 according to argus.

31 Jan 05 13:48:11           tcp   142.58.xx.yyy.3034   ->    70.84.128.36.30591
 9        8         627          1169        CON

Jan 31 13:49:08 %ACL_LOG-A-DENY  TCP 142.58.xx.yyy:3123 -> 142.58.aaa.bbb:445

31 Jan 05 14:13:50  d        tcp   142.58.xx.yyy.4337   ->    67.18.179.68.30591
 12       11        867          1457        CON
31 Jan 05 14:16:23  *        tcp    142.58.xx.yy.3330   ->    67.19.205.52.30591
 11       13        869          1656        CON




31 Jan 05 14:31:45           tcp  142.58.ccc.ddd.1168   ->     70.84.0.212.30591
 1        1         62           54          RST
	(tried this one a couple of times unsuccessfully then switched)
31 Jan 05 14:31:47  *        tcp  142.58.ccc.ddd.1173   ->    70.84.128.36.30591
 10       10        740          1343        CON

Jan 31 14:32:53 %ACL_LOG-A-DENY TCP 142.58.ccc.ddd:1482 -> 142.58.eee.fff:445

... (lots more)

	It appears to be using this set of ips to connect to:

67.18.179.68
67.19.205.52
69.231.4.204 (no apparant replies)
69.93.92.162
70.84.0.212
70.84.128.36

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list