Unfortunately the vulnerability has proven to not be restricted to port 4000. Keep monitoring SANS :-( -----Original Message----- From: Josh Richards <jrichard@digitalwest.net> Date: Sat, 20 Mar 2004 13:50:30 To:nanog@merit.edu Subject: Re: UDP port 4000 traffic: likely a new worm The good news is that "witty" appears to not be a very witty propagator. Our flow data shows attempts to connect to 4000/udp on hosts in our network having a downward trend over the last few hours: Time Unique Source IPs 08:00 350 09:00 332 10:00 297 11:00 298 12:00 265 (all times PST) -jr * Josh Richards <jrichard@digitalwest.net> [20040320 11:10]:
Confirmed. We had our first customer (colo) hit yesterday evening at 20:43 PST. Additionally, they experienced the hard drive corruption (which was added to the ISC diary entry within the last several hours). Traffic was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant 60 Mbit/s before we took them off-line.
-jr
* Johannes B. Ullrich <jullrich@sans.org> [20040320 00:44]:
Looks like there may be a worm going around hitting systems that run BlackIce. Common characteristics of the packets: Source port 4000 (but random target port) and the string "insert witty message here".
details will be posted here: http://isc.sans.org/diary.html as I get them together.
-- Josh Richards | Colocation Web Hosting Bandwidth Digital West Networks | +1 805 781-9378 / www.digitalwest.net San Luis Obispo, CA | AS14589 & AS29962 jrichard@digitalwest.net | DWNI - Making Internet Business Better