Strange traffic - Outgoing TCP 3127/3198 (Not mydoom) New worm?

• Previous message: JeiAr: "Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
Date: Sat, 27 Mar 2004 01:25:10 +0000

Everyone, over the past 4 days I have been observing very random outgoing
connection requests to a single external machine on the inet over ports 3127
and 3198.

The three machines in question are running Windows 2000 Server with all
security fixes and current Symantec anti-virus definitions. The following
characteristics are being observed:

1. Outgoing connections started on Tuesday morning. Approximately 3 probes
an hour.

2. Each machine is trying to reach the same IP address on the inet. (IP
belongs to a private company)

3. Probes slowed down on Tuesday afternoon, then stopped altogether. On
Wednesday afternoon I observed a couple of more probes then nothing.

I have scanned these machines with AV software, no viruses detected, and
because the ports in question are normally associated with
Novarg/mydoom/doomjuice I ran the removal utilities from Microsoft and the
AV vendor which detected nothing either.

I visited the machines and ran FPORT, PSlist and a couple of other tools and
detected no unusual processes. I also scanned each of the machines with
Nmap and Nessus and detected nothing out of the ordinary. (no open ports
other then MS stuff etc) I have blocked all outgoing access to the IP in
question. (the ports were already closed incoming/outgoing) I have also
placed a sniffer in front of these machines configured to capture traffic
going to the suspect IP address, so far nothing.

Does anyone have any idea whether there is an unknown virus/worm using TCP
3127/3198? I will be rebuilding these machines shortly but I just wanted to
get some feedback or see whether anyone else was experiencing similiar
problems.

Thanks in advance for any replies,

Steve

_________________________________________________________________
MSN Premium includes powerful parental controls and get 2 months FREE*
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines

• Previous message: JeiAr: "Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]