[unisog] suspicious traffic to lmu.edu

Pat@350ZRoadsterClub pat at 350zroadsterclub.com
Wed Nov 16 02:59:53 GMT 2005

Has there been any follow up to traffic lmu has been receiving? ...I
just caught my computer sending this to lmu:

Using TCP (flag: S)

Tried to establish a connection.


Landau, Gary glandau at lmu.edu 
Fri Apr 1 21:55:52 GMT 2005 
Previous message: [unisog] challenge-response applications 
Next message: [unisog] RE: very high Inbound 1025 traffic increase 
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 

We've had a big influx of port 1025 traffic as well.  It appears to be
some sort of worm and we've had three Windows 2000 servers infected.
They would run a process call SVHOST (not to be mistaken with SVCHOST)
and it would prevent them from installing security patches or running

Cleaning them wasn't easy either.  Our Symantec anti-virus wouldn't
detect it, so we had to do a manual cleanup.  We had to boot in safe
mode and remove the registry calls that start up the SVHOST process, and
then delete the SVHOST file(s).

Gary Landau
Director, Network Services
Loyola Marymount University
glandau at lmu.edu


Message: 3
Date: Thu, 31 Mar 2005 13:51:36 -0600
From: "Harris, Michael C." <HarrisMC at health.missouri.edu>
Subject: RE: [unisog]very high Inbound 1025 traffic increase
To: "UNIversity Security Operations Group" <unisog at lists.sans.org>
	<FFE408772285764C8F15260D3EC52B9401D60865 at
Content-Type: text/plain;	charset="iso-8859-1"

Take a look at port 1025 on your border....

Huge ramp up in external inbound traffic tcp port 1025, no capture yet
but will forward one as I am able to retrieve one

Mike Harris
System Security Analyst & Instructor
University Of Missouri Health Center
harrismc at health.missouri.edu  KCØPAH

Listen to 24/7 Trance

More information about the unisog mailing list