[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?

To: Jeremiah Cornelius <jeremiah@nur.net>, firewalls@securityfocus.com
Subject: Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?
From: Victor Vieira <victorvieira82@yahoo.com>
Date: Mon, 18 Aug 2003 00:58:33 -0700 (PDT)

<DIV>Jeremiah, I&nbsp;can tell you with no further delays that at least&nbsp;60-70% of the portscans I have been catching with a simple homebased personal firewall have been for the two ports you mentioned - especially the 135, much more constant than any other - a predictable happening, with the blast worldwide spread. </DIV>
<DIV>I didn't, however, take the time to analyze the&nbsp;origin of those portscans - I have caught packages&nbsp;from Brazil&nbsp;and the&nbsp;US. Do you have any other statistics on the subject?</DIV>
<DIV>&nbsp;</DIV>
<DIV>Victor Vieira</DIV>
<DIV>DSM&nbsp;Losango, Brazil&nbsp;- Lloyds TSB Group</DIV>
<DIV><A href="mailto:victor.vieira@losango.com.br";>victor.vieira@losango.com.br</A> </DIV>
<DIV><A href="mailto:victorvieira82@yahoo.com";>victorvieira82@yahoo.com</A></DIV>
<DIV>&nbsp;</DIV>
<DIV><BR><BR><B><I>Jeremiah Cornelius &lt;jeremiah@nur.net&gt;</I></B> wrote:
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid; WIDTH: 100%">Interesting phenomenon emerging:<BR><BR>We have noticed in our log aggregators that some of the same hosts yesterday<BR>that were doing port 135 scans... today seem to be doing some port 1026<BR>scans. This is a listener port for MS Messenger. List follwers will<BR>remember that this has been used as an avenue for spammers to send "pop-up"<BR>alerts on users desktops.<BR><BR>farm9 (the InfoSec group I work for) is keeping an eye on this - we<BR>correlate syslog, winlog, IDS and firewall data from a dozen or so<BR>enterprises.<BR><BR>Has anybody spotted similar activity? It would be interesting to see if<BR>this is a new worm iteration. Maybe sombody clever has figured they can<BR>deliver MSSBlast.exe or phallus32.exe via Messenger.<BR><BR>I have already noticed curious folks that find that they can bind to a shell<BR>on 4444, and are now fiddling around here - for a minute or!
  so...
 ;-)<BR><BR>-- <BR>Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut<BR>farm9 Security<BR>email: jc@farm9.com - mobile: 415.235.7689<BR><BR>"What would be the use of immortality to a person who cannot use well a half<BR>hour?"<BR>--Ralph Waldo Emerson<BR></BLOCKQUOTE></DIV><p><hr SIZE=1>
Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com";>Yahoo! SiteBuilder</a> - Free, easy-to-use web site design software

References:
- Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?
  - From: "Jeremiah Cornelius" <jeremiah@nur.net>

Prev by Date: [Full-Disclosure] [0xbadc0ded #02] Dropbear SSH Server <= 0.34
Next by Date: [Full-Disclosure] Re: PointGuard: It's not the Size of the Buffer, it's the Address
Prev by thread: Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?
Next by thread: RE: [Full-Disclosure] new msblaster on the loose?
Index(es):
- Date
- Thread