Sign in with
Sign up | Sign in
Your question

Worm identity?

Last response: in Networking
Share
Anonymous
May 5, 2004 3:17:34 PM

Archived from groups: comp.security.firewalls (More info?)

I'm sure those who are watching port scans more closely than I will
know immediately which worm is causing this series:

11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745
11:05:30 Unrecognized access from 10.161.77.197:3419 to TCP port 1433
11:05:30 Unrecognized access from 10.161.77.197:3420 to TCP port 5000
11:05:30 Unrecognized access from 10.161.77.197:3427 to TCP port 80
11:05:30 Unrecognized access from 10.161.77.197:1187 to TCP port 2745
11:05:30 Unrecognized access from 10.161.77.197:1207 to TCP port 3127
11:05:30 Unrecognized access from 10.161.77.197:1208 to TCP port 6129

The sequence is pretty consistent, and repeats non-stop with about a
five-second lag between attempts.

I'm getting about 15 thousand scans like this (per day) from folks
served by my ISP (Cincinnati Bell's ZoomTown DSL/Fuse.net). They've
been pretty aggressive about shutting down access from infected
customers in the past, so I think they'll respond to a request to do
so - but I'd like to have the name of the beast before I contact them.

Thanks in advance for any help you can offer in identifying this one,
or if you can suggest a decent resource that allows worm
identification searches by ports scanned.

Jim

More about : worm identity

Anonymous
May 5, 2004 7:31:20 PM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 05 May 2004 11:17:34 -0400, nospam@spammenot.spam.org spoketh

>I'm sure those who are watching port scans more closely than I will
>know immediately which worm is causing this series:
>
>11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745
>11:05:30 Unrecognized access from 10.161.77.197:3419 to TCP port 1433
>11:05:30 Unrecognized access from 10.161.77.197:3420 to TCP port 5000
>11:05:30 Unrecognized access from 10.161.77.197:3427 to TCP port 80
>11:05:30 Unrecognized access from 10.161.77.197:1187 to TCP port 2745
>11:05:30 Unrecognized access from 10.161.77.197:1207 to TCP port 3127
>11:05:30 Unrecognized access from 10.161.77.197:1208 to TCP port 6129
>
>The sequence is pretty consistent, and repeats non-stop with about a
>five-second lag between attempts.
>

That's not one worm, that's a whole host of them.

2745 is the Beagle worm
1433 is the SQLSlammer worm
5000 is part of UPnP
80 is http, and probably the Code Red or Nimda worm
3127 is the MyDoom worm
6129 is something called Dameware remote admin, which has a
vulnerablilty that are being exploited.

You need to forward this to your ISP, and have them take this computer
down...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
May 6, 2004 3:48:07 AM

Archived from groups: comp.security.firewalls (More info?)

nospam@spammenot.spam.org wrote:

>I'm sure those who are watching port scans more closely than I will
>know immediately which worm is causing this series:
>
>11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745
>11:05:30 Unrecognized access from 10.161.77.197:3419 to TCP port 1433
>11:05:30 Unrecognized access from 10.161.77.197:3420 to TCP port 5000
>11:05:30 Unrecognized access from 10.161.77.197:3427 to TCP port 80
>11:05:30 Unrecognized access from 10.161.77.197:1187 to TCP port 2745
>11:05:30 Unrecognized access from 10.161.77.197:1207 to TCP port 3127
>11:05:30 Unrecognized access from 10.161.77.197:1208 to TCP port 6129

This is the work of one worm, an "Agobot/Gaobot" worm variant that
goes by several different names, depending on which AV company you
query. Look at: http://www.mynetwatchman.com/tools/sc/Agobot.htm
Related resources
Anonymous
May 7, 2004 3:15:43 AM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 05 May 2004 15:31:20 GMT, Lars M. Hansen <badnews@hansenonline.net>
wrote:

> On Wed, 05 May 2004 11:17:34 -0400, nospam@spammenot.spam.org spoketh
>
> >I'm sure those who are watching port scans more closely than I will
> >know immediately which worm is causing this series:
> >
> >11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745
> >11:05:30 Unrecognized access from 10.161.77.197:3419 to TCP port 1433
> >11:05:30 Unrecognized access from 10.161.77.197:3420 to TCP port 5000
> >11:05:30 Unrecognized access from 10.161.77.197:3427 to TCP port 80
> >11:05:30 Unrecognized access from 10.161.77.197:1187 to TCP port 2745
> >11:05:30 Unrecognized access from 10.161.77.197:1207 to TCP port 3127
> >11:05:30 Unrecognized access from 10.161.77.197:1208 to TCP port 6129
> >
> >The sequence is pretty consistent, and repeats non-stop with about a
> >five-second lag between attempts.
> >
>
> That's not one worm, that's a whole host of them.
>
> 2745 is the Beagle worm
> 1433 is the SQLSlammer worm
> 5000 is part of UPnP
> 80 is http, and probably the Code Red or Nimda worm
> 3127 is the MyDoom worm
> 6129 is something called Dameware remote admin, which has a
> vulnerablilty that are being exploited.
>
> You need to forward this to your ISP, and have them take this computer
> down...
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"


The IP is being spoofed or the machine is on his 10.*.*.* network.
If that's the case the ISP will surely tell him that they can do nothing
and he should install a firewall.


§ß©
Anonymous
May 7, 2004 10:25:19 AM

Archived from groups: comp.security.firewalls (More info?)

On 5 May 2004 23:48:07 -0500, Micheal Robert Zium spoketh

>nospam@spammenot.spam.org wrote:
>
>>I'm sure those who are watching port scans more closely than I will
>>know immediately which worm is causing this series:
>>
>>11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745
>>11:05:30 Unrecognized access from 10.161.77.197:3419 to TCP port 1433
>>11:05:30 Unrecognized access from 10.161.77.197:3420 to TCP port 5000
>>11:05:30 Unrecognized access from 10.161.77.197:3427 to TCP port 80
>>11:05:30 Unrecognized access from 10.161.77.197:1187 to TCP port 2745
>>11:05:30 Unrecognized access from 10.161.77.197:1207 to TCP port 3127
>>11:05:30 Unrecognized access from 10.161.77.197:1208 to TCP port 6129
>
>This is the work of one worm, an "Agobot/Gaobot" worm variant that
>goes by several different names, depending on which AV company you
>query. Look at: http://www.mynetwatchman.com/tools/sc/Agobot.htm

Wow, I didn't even look at that one ...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
!