Security Incidents mailing list archives

Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

From: Arthur Clune <ajc22 () york ac uk>
Date: Wed, 21 Apr 2004 10:51:08 +0100

--On 20/04/04 22:02:08 -0400 Jeff Kell wrote:

* scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral
   source ports (the source port is not fixed).


A Polybot varient according to some discussions we've been having in .ac.uk

Scans:

80 http
1025 MS-Proxy?
2745 Bagle backdoor
3127 Mydoom backdoor
6129 Dameware Remote

Arthur


--
Arthur Clune, Systems Security Advisor, The Computing Service
University of York, UK, YO10 5DD.  +44 (0) 1904 433129
PGP signing key A0389A4B. Full key http://www.clune.org/pubkey.txt

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 mgotts (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Chris Harrington (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Arthur Clune (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Bojan Zdrnja (Apr 21)
  - Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Joe Stewart (Apr 22)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
  - Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
    - Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Kees Leune (Apr 21)