Security Incidents mailing list archives
Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
From: Charles Hamby <fixer () gci net>
Date: Wed, 21 Apr 2004 06:51:09 -0800
Jeff Kell wrote:
I assume this means you've managed to capture a sample? If so can you provide any details (e.g. vector, method of compromise, etc.). Like you I'm figuring on one of the 04-0xx vulns, but I'd like to know for sure.Charles Hamby wrote:Jeff,Aside from the scanning order this sounds remarkably like a bug that we're battling right now. It's taken out about 150 or so of of our hosts. As of right now we don't know what the bug is, but we deployed a honeypot yesterday to try to capture the malware and see if we can ID the beast.It appears to be a Gaobot derivative. Changes the home page to be<semi-random-chars>.t.muxa.cc. Google for muxa.cc and you'll get some pointers.Jeff
-cdh --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 mgotts (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Chris Harrington (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Arthur Clune (Apr 21)
- RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Bojan Zdrnja (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Joe Stewart (Apr 22)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Charles Hamby (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Jeff Kell (Apr 21)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Kees Leune (Apr 21)