Security Incidents mailing list archives
Re: New trojan running in port 12345?
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 21 Dec 2000 10:04:32 +1300
On Tue, 19 Dec 2000 23:30:21 -0600 Martin H Hoz-Salvador <mhoz () citi com mx> wrote: Hi Martin, I saw something like this a while back, several hundred netbus scans over a period of about two weeks. The scans peeked in the weekends then trailed off. Network blocks on either side of ours did not see the scans. I eventually tracked down another site in Australia who had seen the same thing. Source IPs were all dialup or cable/dsl belonging to major ISPs with a lot in Korea (210.0.0.0/7) as you observered, but also with a sprinkling from big North American providers. I came to the conculusion that this was a trojan that was being actively distributed via IRC or ICQ and which targeted our address space specifically. One charactoristic of the traffic I saw (same with the Australian site too) was that the destination addresses always started at 11 (I'm guessing this is a typo for 1). Only one class C was scanned and many scans stopped before they got to 254. I am guessing that the trojan is some sort of game and since the scan is relatively slow (it takes about 20 minutes to scan a /24) them people quickly tire of the game and kill it leaving the scan 'unfinished'. I reported all the scans to respective ISP along with a description of what I suspected was happening and asked that IPSs would get in touch with their customers and verify the story. Only one go back to me and that was nearly two weeks after the incident and the customer could not remember anything useful. I also suspect that the source of this activity is in Korea. Cheers, Russell. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- New trojan running in port 12345? Martin H Hoz-Salvador (Dec 20)
- Re: New trojan running in port 12345? Russell Fulton (Dec 21)
- Re: New trojan running in port 12345? Jose Nazario (Dec 21)
- <Possible follow-ups>
- Re: New trojan running in port 12345? Edwards, David (JTD) (Dec 21)
- Re: New trojan running in port 12345? claymore (Dec 21)
- Re: New trojan running in port 12345? Edwards, David (JTD) (Dec 21)
- Re: New trojan running in port 12345? Michael H. Warfield (Dec 21)
- Re: New trojan running in port 12345? Russell Fulton (Dec 21)