Educause Security Discussion mailing list archives

Re: Am I the only one?

From: Dan Jones <dan.jones () COLORADO EDU>
Date: Wed, 14 Apr 2004 09:40:42 -0600

Agobot/Gaobot/Phatbot variants.  We have also seen tcp/5000 in the mix.

Jim Pollard wrote:

Or did I miss it on Bugtraq?  Recently I've noticed a scan pattern in my logs and wonder if anyone might recognize it 
as either a known virus or some kiddie scanning tool looking for virus backdoors?  There are some variations... occasionally 
port 80 and 8080 are included.

Service: 1025 (tcp/1025) (net2fw:DROP:,eth1,none) - 2 packets (take your pick... either network blackjack or an 
assortment of viruses and backdoors)
         Service: 2745 (tcp/2745) (:net2fw:DROP:,eth1,none) - 2 packets (Beagle virus)
         Service: 3127 (tcp/3127) (:net2fw:DROP:,eth1,none) - 2 packets (MyDoom virus)
         Service: 6129 (tcp/6129) (net2fw:DROP:,eth1,none) - 3 packets (W32.Mockbot) also Dameware


Thanks!

Jim

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Am I the only one? Jim Pollard (Apr 14)
- <Possible follow-ups>
- Re: Am I the only one? Mark Wilson (Apr 14)
- Re: Am I the only one? Dan Jones (Apr 14)
- Re: Am I the only one? Helms, Sandra (Apr 14)
- Re: Am I the only one? Jim Pollard (Apr 14)
- Re: Am I the only one? Are Leif Garn}sjordet (Apr 14)
- Re: Am I the only one? Kathy Bergsma (Apr 14)
- Re: Am I the only one? Mark Wilson (Apr 14)
- Re: Am I the only one? Jason Richardson (Apr 14)