[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] New Blaster variant using UDP port 1038?
- To: "Stahlkrantz, Mats (Mats)" <mstahlkrantz@lucent.com>, <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] New Blaster variant using UDP port 1038?
- From: "Jeremiah Cornelius" <jeremiah@nur.net>
- Date: Thu, 14 Aug 2003 12:55:50 -0700
> We're starting to see exploit attempts that are followed by probes from
the infected host on tcp/4444,
> and then UDP/1038. Has anyone else seen this?
Yeah. And UDP/1026.
I mailed this yesterday:
Interesting phenomenon emerging:
We have noticed in our log aggregators that some of the same hosts yesterday
that were doing port 135 scans... today seem to be doing some port 1026
scans. This is a listener port for MS Messenger. List follwers will
remember that this has been used as an avenue for spammers to send "pop-up"
alerts on users desktops.
farm9 (the InfoSec group I work for) is keeping an eye on this - we
correlate syslog, winlog, IDS and firewall data from a dozen or so
enterprises.
Has anybody spotted similar activity? It would be interesting to see if
this is a new worm iteration. Maybe sombody clever has figured they can
deliver MSSBlast.exe or phallus32.exe via Messenger.
I have already noticed curious folks that find that they can bind to a shell
on 4444, and are now fiddling around here - for a minute or so... ;-)
--
Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut
farm9 Security
email: jc@farm9.com - mobile: 415.235.7689
"What would be the use of immortality to a person who cannot use well a half
hour?"
--Ralph Waldo Emerson
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html