Hello, Over the last few days I've seen a number of hosts attempt to initiate TCP connections to the following ports in sequence. 80 139 445 6129 3127 1025 135 2745 ...repeat. At this moment I haven't seen a correlation between this activity and the port exploitation list on CERT. Any insight would be appreciated, thank you. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
--On Saturday, April 10, 2004 8:35 AM -0700 "Christopher J. Wolff" <chris@bblabs.com> wrote:
Hello,
Over the last few days I've seen a number of hosts attempt to initiate TCP connections to the following ports in sequence.
80 139 445 6129 3127 1025 135 2745 ...repeat.
There's a number of viruses/worms in the wild that are programmed to exploit various M$ vulnerabilities: 80 - IIS WebDAV (MS03-007)and any number of other IIS vulnerabilities 135 - DCOM RPC (MS03-026) 445 - RPC locator (MS03-001) and Workstation service (MS03-049) 139 - Unpassworded NetBIOS shares I'm not sure about the other ports, I *think* 1025 has something to do with MS RPC as well, but don't quote me on that. What you are probably seeing, at least in the cases involving the ports I listed above, is one of the many W32.Gaobot (Symantec)[1] variants. -J [1] http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm -- Jeff Workman | jworkman@pimpworks.org | http://www.pimpworks.org
On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following :
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm
File Not Found... 'l' missing from end of 'htm'. http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html
On Sat, Apr 10, 2004 at 11:19:19AM -0700, Darrell Greenwood said at one point in time:
On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following :
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm
File Not Found... 'l' missing from end of 'htm'.
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html
this is correct. my organization has been infected with this and it is a particular nasty little bugger. we may have been 'patient 0' in terms of sending copies of the virus to symantec so they could write signatures for it. infected hosts flood the network with a tremendous amount of data and port opening. i at least manged to quarantine off all my vpn devices which seemed to be the entry point. -r
Thank you for the input. The 'unique' feature of this infestation is that affected hosts don't transmit a lot of data...however they do open up thousands of flows in a very short time. Perhaps that's not unique but it certainly is annoying. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of ravi pina Sent: Saturday, April 10, 2004 11:30 AM To: Darrell Greenwood Cc: 'nanog list' Subject: Re: worm information
On Sat, Apr 10, 2004 at 11:19:19AM -0700, Darrell Greenwood said at one point in time:
On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following :
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm
File Not Found... 'l' missing from end of 'htm'.
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html
this is correct. my organization has been infected with this and it is a particular nasty little bugger. we may have been 'patient 0' in terms of sending copies of the virus to symantec so they could write signatures for it. infected hosts flood the network with a tremendous amount of data and port opening.
i at least manged to quarantine off all my vpn devices which seemed to be the entry point.
-r
hmm, honestly i can't vouch for the data rate personally. a co-worker said the counters on the VPN connections were grossly disproportionate for a short time sample. bottom line, it is indeed annoying. i know my server and desktop groups have been having a hell of a time disinfecting hosts. i know part of this was that symantec, at the time, said it may be a polymorphic strain. -r On Sat, Apr 10, 2004 at 11:37:15AM -0700, Christopher J. Wolff said at one point in time:
Thank you for the input. The 'unique' feature of this infestation is that affected hosts don't transmit a lot of data...however they do open up thousands of flows in a very short time. Perhaps that's not unique but it certainly is annoying.
Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of ravi pina Sent: Saturday, April 10, 2004 11:30 AM To: Darrell Greenwood Cc: 'nanog list' Subject: Re: worm information
On Sat, Apr 10, 2004 at 11:19:19AM -0700, Darrell Greenwood said at one point in time:
On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following :
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm
File Not Found... 'l' missing from end of 'htm'.
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html
this is correct. my organization has been infected with this and it is a particular nasty little bugger. we may have been 'patient 0' in terms of sending copies of the virus to symantec so they could write signatures for it. infected hosts flood the network with a tremendous amount of data and port opening.
i at least manged to quarantine off all my vpn devices which seemed to be the entry point.
-r
--
Ravi, One of the responses to this thread mentioned a 3COM switch. One of the infected sites has a 3COM superstack 1100. I'm not a 3COM fan but these switches have been up for years, literally. All it takes to make this switch reboot is a flow from one infected host. I'm going to try to move the web interface port away from 80. Thank you. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of ravi pina Sent: Saturday, April 10, 2004 11:44 AM To: Christopher J. Wolff Cc: ravi@cow.org; 'Darrell Greenwood'; 'nanog list' Subject: Re: worm information
hmm, honestly i can't vouch for the data rate personally. a co-worker said the counters on the VPN connections were grossly disproportionate for a short time sample.
bottom line, it is indeed annoying. i know my server and desktop groups have been having a hell of a time disinfecting hosts. i know part of this was that symantec, at the time, said it may be a polymorphic strain.
-r
Agobot scanning... Take a look at these links: http://isc.sans.org/diary.php?date=2004-04-05 http://isc.sans.org/diary.php?date=2004-04-01 http://isc.sans.org/diary.php?date=2004-04-09 Also, take a read through the "New Worm???" thread at: http://www.dshield.org/pipermail/intrusions/2004-April/thread.php -Jack --- "Christopher J. Wolff" <chris@bblabs.com> wrote:
Hello,
Over the last few days I've seen a number of hosts attempt to initiate TCP connections to the following ports in sequence.
80 139 445 6129 3127 1025 135 2745 ...repeat.
At this moment I haven't seen a correlation between this activity and the port exploitation list on CERT. Any insight would be appreciated, thank you.
Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
participants (5)
-
Christopher J. Wolff -
Darrell Greenwood -
Jack McCarthy -
Jeff Workman -
ravi pina