 pkeech
join:2003-02-21
Clawson, MI | reply to Link Logger
Re: New Worms scanning on 1025 and others Hey Blake,just started seeing those scans at 5:05p.m.est.
1 interesting scan scanned 8 ports at 1 time,in order..
port 2745,135,1025,445,3127,6129,139,80....most are scanning 4-6 ports,must be propagating real fast,all the hits I'm getting are coming from wideopenwest customers(my ip) |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
2 edits | quote:
The scanning is not launched at startup. The scans appear to be sequential,
e.g. the infected host scans TCP 135, 139, 445, 3127, and 6129 on each
scanned IP. This may be a means by which to detect the scan and sploit
activities of Phatbot.
Like other IRC-based backdoor trojans, this one probably awaits a command via IRC to start scanning/spreading.
My port 3127 'pot picked up another copy of this bot/worm/trojan - but this one was also infected with Win32.Xorala (KAV)/W32.Harmony (F-Prot) - nothing like a double whammy - a bot/trojan/worm infected with a virus. I'd hate to have to clean up THAT PC!  |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| I think we have hit the next phase where every vulnerable computer on the planet is infected and so now we are heading into the infect it X times or as we have seen clean off the other infections and infect it. If someone comes out with a new exploit it should be interesting to see what happens then.
The other thing is once again the crew in BBR's security forum is leading the charge into detection of new nasties, good work everyone.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
