nanog mailing list archives
Re: UDP port 4000 traffic: likely a new worm
From: "Rodney Joffe" <rjoffe () centergate com>
Date: Sat, 20 Mar 2004 20:52:58 -0500
Unfortunately the vulnerability has proven to not be restricted to port 4000. Keep monitoring SANS :-( -----Original Message----- From: Josh Richards <jrichard () digitalwest net> Date: Sat, 20 Mar 2004 13:50:30 To:nanog () merit edu Subject: Re: UDP port 4000 traffic: likely a new worm The good news is that "witty" appears to not be a very witty propagator. Our flow data shows attempts to connect to 4000/udp on hosts in our network having a downward trend over the last few hours: Time Unique Source IPs 08:00 350 09:00 332 10:00 297 11:00 298 12:00 265 (all times PST) -jr * Josh Richards <jrichard () digitalwest net> [20040320 11:10]:
Confirmed. We had our first customer (colo) hit yesterday evening at 20:43 PST. Additionally, they experienced the hard drive corruption (which was added to the ISC diary entry within the last several hours). Traffic was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant 60 Mbit/s before we took them off-line. -jr * Johannes B. Ullrich <jullrich () sans org> [20040320 00:44]:Looks like there may be a worm going around hitting systems that run BlackIce. Common characteristics of the packets: Source port 4000 (but random target port) and the string "insert witty message here". details will be posted here: http://isc.sans.org/diary.html as I get them together.
-- Josh Richards | Colocation Web Hosting Bandwidth Digital West Networks | +1 805 781-9378 / www.digitalwest.net San Luis Obispo, CA | AS14589 & AS29962 jrichard () digitalwest net | DWNI - Making Internet Business Better
Current thread:
- UDP port 4000 traffic: likely a new worm Johannes B. Ullrich (Mar 20)
- Re: UDP port 4000 traffic: likely a new worm Josh Richards (Mar 20)
- Re: UDP port 4000 traffic: likely a new worm Josh Richards (Mar 20)
- Re: UDP port 4000 traffic: likely a new worm George Bakos (Mar 21)
- AW: UDP port 4000 traffic: likely a new worm Florian Frotzler (Mar 22)
- Re: UDP port 4000 traffic: likely a new worm Josh Richards (Mar 20)
- Re: UDP port 4000 traffic: likely a new worm Scott Call (Mar 20)
- Re: UDP port 4000 traffic: likely a new worm Josh Richards (Mar 20)
- <Possible follow-ups>
- Re: UDP port 4000 traffic: likely a new worm Rodney Joffe (Mar 20)