Worm identity?

Archived from groups: comp.security.firewalls (More info?)

I'm sure those who are watching port scans more closely than I will
know immediately which worm is causing this series:

11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745
11:05:30 Unrecognized access from 10.161.77.197:3419 to TCP port 1433
11:05:30 Unrecognized access from 10.161.77.197:3420 to TCP port 5000
11:05:30 Unrecognized access from 10.161.77.197:3427 to TCP port 80
11:05:30 Unrecognized access from 10.161.77.197:1187 to TCP port 2745
11:05:30 Unrecognized access from 10.161.77.197:1207 to TCP port 3127
11:05:30 Unrecognized access from 10.161.77.197:1208 to TCP port 6129

The sequence is pretty consistent, and repeats non-stop with about a
five-second lag between attempts.

I'm getting about 15 thousand scans like this (per day) from folks
served by my ISP (Cincinnati Bell's ZoomTown DSL/Fuse.net). They've
been pretty aggressive about shutting down access from infected
customers in the past, so I think they'll respond to a request to do
so - but I'd like to have the name of the beast before I contact them.

Thanks in advance for any help you can offer in identifying this one,
or if you can suggest a decent resource that allows worm
identification searches by ports scanned.

Jim
4 answers Last reply
More about worm identity
  1. Archived from groups: comp.security.firewalls (More info?)

    On Wed, 05 May 2004 11:17:34 -0400, nospam@spammenot.spam.org spoketh

    >I'm sure those who are watching port scans more closely than I will
    >know immediately which worm is causing this series:
    >
    >11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745
    >11:05:30 Unrecognized access from 10.161.77.197:3419 to TCP port 1433
    >11:05:30 Unrecognized access from 10.161.77.197:3420 to TCP port 5000
    >11:05:30 Unrecognized access from 10.161.77.197:3427 to TCP port 80
    >11:05:30 Unrecognized access from 10.161.77.197:1187 to TCP port 2745
    >11:05:30 Unrecognized access from 10.161.77.197:1207 to TCP port 3127
    >11:05:30 Unrecognized access from 10.161.77.197:1208 to TCP port 6129
    >
    >The sequence is pretty consistent, and repeats non-stop with about a
    >five-second lag between attempts.
    >

    That's not one worm, that's a whole host of them.

    2745 is the Beagle worm
    1433 is the SQLSlammer worm
    5000 is part of UPnP
    80 is http, and probably the Code Red or Nimda worm
    3127 is the MyDoom worm
    6129 is something called Dameware remote admin, which has a
    vulnerablilty that are being exploited.

    You need to forward this to your ISP, and have them take this computer
    down...

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  2. Archived from groups: comp.security.firewalls (More info?)

    nospam@spammenot.spam.org wrote:

    >I'm sure those who are watching port scans more closely than I will
    >know immediately which worm is causing this series:
    >
    >11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745
    >11:05:30 Unrecognized access from 10.161.77.197:3419 to TCP port 1433
    >11:05:30 Unrecognized access from 10.161.77.197:3420 to TCP port 5000
    >11:05:30 Unrecognized access from 10.161.77.197:3427 to TCP port 80
    >11:05:30 Unrecognized access from 10.161.77.197:1187 to TCP port 2745
    >11:05:30 Unrecognized access from 10.161.77.197:1207 to TCP port 3127
    >11:05:30 Unrecognized access from 10.161.77.197:1208 to TCP port 6129

    This is the work of one worm, an "Agobot/Gaobot" worm variant that
    goes by several different names, depending on which AV company you
    query. Look at: http://www.mynetwatchman.com/tools/sc/Agobot.htm
  3. Archived from groups: comp.security.firewalls (More info?)

    On Wed, 05 May 2004 15:31:20 GMT, Lars M. Hansen <badnews@hansenonline.net>
    wrote:

    > On Wed, 05 May 2004 11:17:34 -0400, nospam@spammenot.spam.org spoketh
    >
    > >I'm sure those who are watching port scans more closely than I will
    > >know immediately which worm is causing this series:
    > >
    > >11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745
    > >11:05:30 Unrecognized access from 10.161.77.197:3419 to TCP port 1433
    > >11:05:30 Unrecognized access from 10.161.77.197:3420 to TCP port 5000
    > >11:05:30 Unrecognized access from 10.161.77.197:3427 to TCP port 80
    > >11:05:30 Unrecognized access from 10.161.77.197:1187 to TCP port 2745
    > >11:05:30 Unrecognized access from 10.161.77.197:1207 to TCP port 3127
    > >11:05:30 Unrecognized access from 10.161.77.197:1208 to TCP port 6129
    > >
    > >The sequence is pretty consistent, and repeats non-stop with about a
    > >five-second lag between attempts.
    > >
    >
    > That's not one worm, that's a whole host of them.
    >
    > 2745 is the Beagle worm
    > 1433 is the SQLSlammer worm
    > 5000 is part of UPnP
    > 80 is http, and probably the Code Red or Nimda worm
    > 3127 is the MyDoom worm
    > 6129 is something called Dameware remote admin, which has a
    > vulnerablilty that are being exploited.
    >
    > You need to forward this to your ISP, and have them take this computer
    > down...
    >
    > Lars M. Hansen
    > www.hansenonline.net
    > Remove "bad" from my e-mail address to contact me.
    > "If you try to fail, and succeed, which have you done?"


    The IP is being spoofed or the machine is on his 10.*.*.* network.
    If that's the case the ISP will surely tell him that they can do nothing
    and he should install a firewall.


    §ß©
  4. Archived from groups: comp.security.firewalls (More info?)

    On 5 May 2004 23:48:07 -0500, Micheal Robert Zium spoketh

    >nospam@spammenot.spam.org wrote:
    >
    >>I'm sure those who are watching port scans more closely than I will
    >>know immediately which worm is causing this series:
    >>
    >>11:05:30 Unrecognized access from 10.161.77.197:3398 to TCP port 2745
    >>11:05:30 Unrecognized access from 10.161.77.197:3419 to TCP port 1433
    >>11:05:30 Unrecognized access from 10.161.77.197:3420 to TCP port 5000
    >>11:05:30 Unrecognized access from 10.161.77.197:3427 to TCP port 80
    >>11:05:30 Unrecognized access from 10.161.77.197:1187 to TCP port 2745
    >>11:05:30 Unrecognized access from 10.161.77.197:1207 to TCP port 3127
    >>11:05:30 Unrecognized access from 10.161.77.197:1208 to TCP port 6129
    >
    >This is the work of one worm, an "Agobot/Gaobot" worm variant that
    >goes by several different names, depending on which AV company you
    >query. Look at: http://www.mynetwatchman.com/tools/sc/Agobot.htm

    Wow, I didn't even look at that one ...

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
Ask a new question

Read More

Firewalls Internet Service Providers TCP/IP Worm Networking