RE: Worm ???

From: Bojo (bojo@consultcommerce.bg)
Date: 07/23/01


Subject: RE: Worm ???
Date: Mon, 23 Jul 2001 19:41:44 +0300
Message-ID: <B216985532F96343AFDE809DF22FDBE88B2D@mail.consultcommerce.bg>
From: "Bojo" <bojo@consultcommerce.bg>
To: "Kania" <kania@euskalnet.net>

Yes this possibly is a worm, probably "Red Code" that perform searches
for other targets
Please read the mail "Tool released to scan for possible CodeRed
infected servers" from today,
download the scanner
(http://www.eeye.com/html/Research/Tools/codered.html) and check for
this imedeately!!

Bojidar Alexandrov
Developer @
ConsultCommerce Ltd
http://www.consultcommerce.com

-----Original Message-----
From: Kania [mailto:kania@euskalnet.net]
Sent: Monday, July 23, 2001 11:15 AM
To: focus-ms@securityfocus.com
Subject: Worm ???

I've got developmente machine with Win2000 Server conected to the
Internet
with modem... I noticed that an huge amount of packets were being
sent...

I did netstat -a and this is the result:

  TCP makinon:http makinon:0 LISTENING
  TCP makinon:epmap makinon:0 LISTENING
  TCP makinon:https makinon:0 LISTENING
  TCP makinon:microsoft-ds makinon:0 LISTENING
  TCP makinon:1025 makinon:0 LISTENING
  TCP makinon:1026 makinon:0 LISTENING
  TCP makinon:1027 makinon:0 LISTENING
  TCP makinon:1030 makinon:0 LISTENING
  TCP makinon:1034 makinon:0 LISTENING
  TCP makinon:1036 makinon:0 LISTENING
  TCP makinon:1043 makinon:0 LISTENING
  TCP makinon:1045 makinon:0 LISTENING
  TCP makinon:1046 makinon:0 LISTENING
  TCP makinon:1047 makinon:0 LISTENING
  TCP makinon:1048 makinon:0 LISTENING
  TCP makinon:1049 makinon:0 LISTENING
  TCP makinon:1051 makinon:0 LISTENING
  TCP makinon:1052 makinon:0 LISTENING
  TCP makinon:1053 makinon:0 LISTENING
  TCP makinon:1054 makinon:0 LISTENING
  TCP makinon:1055 makinon:0 LISTENING
  TCP makinon:1056 makinon:0 LISTENING
  TCP makinon:1058 makinon:0 LISTENING
  TCP makinon:1059 makinon:0 LISTENING
  TCP makinon:1060 makinon:0 LISTENING
  TCP makinon:1061 makinon:0 LISTENING
  TCP makinon:1062 makinon:0 LISTENING
  TCP makinon:1064 makinon:0 LISTENING
  TCP makinon:1065 makinon:0 LISTENING
  TCP makinon:1066 makinon:0 LISTENING
  TCP makinon:1067 makinon:0 LISTENING
  TCP makinon:1068 makinon:0 LISTENING
  TCP makinon:1069 makinon:0 LISTENING
  TCP makinon:1071 makinon:0 LISTENING
  TCP makinon:1072 makinon:0 LISTENING
  TCP makinon:1073 makinon:0 LISTENING
  TCP makinon:1074 makinon:0 LISTENING
  TCP makinon:1075 makinon:0 LISTENING
  TCP makinon:1076 makinon:0 LISTENING
  TCP makinon:1077 makinon:0 LISTENING
  TCP makinon:1078 makinon:0 LISTENING
  TCP makinon:1079 makinon:0 LISTENING
  TCP makinon:1080 makinon:0 LISTENING
  TCP makinon:1081 makinon:0 LISTENING
  TCP makinon:1082 makinon:0 LISTENING
  TCP makinon:1084 makinon:0 LISTENING
  TCP makinon:1085 makinon:0 LISTENING
  TCP makinon:1086 makinon:0 LISTENING
  TCP makinon:1087 makinon:0 LISTENING
  TCP makinon:1088 makinon:0 LISTENING
  TCP makinon:1089 makinon:0 LISTENING
  TCP makinon:1091 makinon:0 LISTENING
  TCP makinon:1092 makinon:0 LISTENING
  TCP makinon:1093 makinon:0 LISTENING
  TCP makinon:1094 makinon:0 LISTENING
  TCP makinon:1095 makinon:0 LISTENING
  TCP makinon:1097 makinon:0 LISTENING
  TCP makinon:1098 makinon:0 LISTENING
  TCP makinon:1099 makinon:0 LISTENING
  TCP makinon:1100 makinon:0 LISTENING
  TCP makinon:1101 makinon:0 LISTENING
  TCP makinon:1102 makinon:0 LISTENING
  TCP makinon:1104 makinon:0 LISTENING
  TCP makinon:1105 makinon:0 LISTENING
  TCP makinon:1106 makinon:0 LISTENING
  TCP makinon:1107 makinon:0 LISTENING
  TCP makinon:1108 makinon:0 LISTENING
  TCP makinon:1110 makinon:0 LISTENING
  TCP makinon:1111 makinon:0 LISTENING
  TCP makinon:1112 makinon:0 LISTENING
  TCP makinon:1113 makinon:0 LISTENING
  TCP makinon:1114 makinon:0 LISTENING
  TCP makinon:1115 makinon:0 LISTENING
  TCP makinon:1117 makinon:0 LISTENING
  TCP makinon:1118 makinon:0 LISTENING
  TCP makinon:1119 makinon:0 LISTENING
  TCP makinon:1120 makinon:0 LISTENING
  TCP makinon:1121 makinon:0 LISTENING
  TCP makinon:1122 makinon:0 LISTENING
  TCP makinon:1123 makinon:0 LISTENING
  TCP makinon:1124 makinon:0 LISTENING
  TCP makinon:1125 makinon:0 LISTENING
  TCP makinon:1126 makinon:0 LISTENING
  TCP makinon:1127 makinon:0 LISTENING
  TCP makinon:1128 makinon:0 LISTENING
  TCP makinon:1129 makinon:0 LISTENING
  TCP makinon:1131 makinon:0 LISTENING
  TCP makinon:1132 makinon:0 LISTENING
  TCP makinon:1133 makinon:0 LISTENING
  TCP makinon:1134 makinon:0 LISTENING
  TCP makinon:1135 makinon:0 LISTENING
  TCP makinon:1136 makinon:0 LISTENING
  TCP makinon:1137 makinon:0 LISTENING
  TCP makinon:1138 makinon:0 LISTENING
  TCP makinon:1139 makinon:0 LISTENING
  TCP makinon:1140 makinon:0 LISTENING
  TCP makinon:1141 makinon:0 LISTENING
  TCP makinon:1142 makinon:0 LISTENING
  TCP makinon:1144 makinon:0 LISTENING
  TCP makinon:1145 makinon:0 LISTENING
  TCP makinon:1146 makinon:0 LISTENING
  TCP makinon:1147 makinon:0 LISTENING
  TCP makinon:1148 makinon:0 LISTENING
  TCP makinon:1149 makinon:0 LISTENING
  TCP makinon:1151 makinon:0 LISTENING
  TCP makinon:1152 makinon:0 LISTENING
  TCP makinon:1153 makinon:0 LISTENING
  TCP makinon:1155 makinon:0 LISTENING
  TCP makinon:1156 makinon:0 LISTENING
  TCP makinon:1157 makinon:0 LISTENING
  TCP makinon:1158 makinon:0 LISTENING
  TCP makinon:1159 makinon:0 LISTENING
  TCP makinon:1160 makinon:0 LISTENING
  TCP makinon:1161 makinon:0 LISTENING
  TCP makinon:1162 makinon:0 LISTENING
  TCP makinon:1163 makinon:0 LISTENING
  TCP makinon:1164 makinon:0 LISTENING
  TCP makinon:1165 makinon:0 LISTENING
  TCP makinon:1166 makinon:0 LISTENING
  TCP makinon:1167 makinon:0 LISTENING
  TCP makinon:1169 makinon:0 LISTENING
  TCP makinon:1170 makinon:0 LISTENING
  TCP makinon:1171 makinon:0 LISTENING
  TCP makinon:1172 makinon:0 LISTENING
  TCP makinon:1173 makinon:0 LISTENING
  TCP makinon:3372 makinon:0 LISTENING
  TCP makinon:4140 makinon:0 LISTENING
  TCP makinon:http 216.86.32.9:3117 CLOSE_WAIT
  TCP makinon:1032 galcott.com:http TIME_WAIT
  TCP makinon:1034 uweb.syd.optusnet.com.au:http LAST_ACK
  TCP makinon:1036 codeavionics.com:http ESTABLISHED
  TCP makinon:1043 141.210.10.117:ftp ESTABLISHED
  TCP makinon:1045 35.26.36.142:http ESTABLISHED
  TCP makinon:1046 74.171.153.201:http ESTABLISHED
  TCP makinon:1047 113.60.15.5:http ESTABLISHED
  TCP makinon:1048 152.205.132.64:http ESTABLISHED
  TCP makinon:1049 191.94.250.123:http ESTABLISHED
  TCP makinon:1051 13.129.91.11:http ESTABLISHED
  TCP makinon:1052 52.18.209.70:http ESTABLISHED
  TCP makinon:1053 91.163.70.130:http ESTABLISHED
  TCP makinon:1054 130.52.188.189:http ESTABLISHED
  TCP makinon:1055 169.197.49.249:http ESTABLISHED
  TCP makinon:1056 208.86.167.52:http LAST_ACK
  TCP makinon:1058 30.121.146.171:http LAST_ACK
  TCP makinon:1059 69.10.8.231:http LAST_ACK
  TCP makinon:1060 108.155.125.34:http LAST_ACK
  TCP makinon:1062 186.189.104.153:http ESTABLISHED
  TCP makinon:1064 8.224.201.40:http ESTABLISHED
  TCP makinon:1066 86.2.181.159:http ESTABLISHED
  TCP makinon:1067 125.147.42.219:http ESTABLISHED
  TCP makinon:1068 164.36.160.22:http ESTABLISHED
  TCP makinon:1069 203.181.21.82:http ESTABLISHED
  TCP makinon:1071 25.216.0.201:http ESTABLISHED
  TCP makinon:1072 64.105.118.4:http LAST_ACK
  TCP makinon:1073 103.250.235.63:http ESTABLISHED
  TCP makinon:1074 142.139.97.123:http ESTABLISHED
  TCP makinon:1075 181.28.215.182:http ESTABLISHED
  TCP makinon:1076 220.173.76.242:http LAST_ACK
  TCP makinon:1077 3.63.194.45:http ESTABLISHED
  TCP makinon:1078 42.208.55.105:http ESTABLISHED
  TCP makinon:1079 81.97.173.164:http ESTABLISHED
  TCP makinon:1080 120.242.34.224:http ESTABLISHED
  TCP makinon:1081 159.131.152.27:http ESTABLISHED
  TCP makinon:1082 198.20.14.87:http ESTABLISHED
  TCP makinon:1084 20.55.111.230:http ESTABLISHED
  TCP makinon:1085 59.200.228.33:http ESTABLISHED
  TCP makinon:1086 98.89.90.93:http ESTABLISHED
  TCP makinon:1087 137.234.207.152:http ESTABLISHED
  TCP makinon:1088 176.123.69.212:http ESTABLISHED
  TCP makinon:1089 215.12.187.15:http ESTABLISHED
  TCP makinon:1091 37.47.166.134:http ESTABLISHED
  TCP makinon:1092 76.192.27.194:http ESTABLISHED
  TCP makinon:1093 115.81.145.253:http ESTABLISHED
  TCP makinon:1094 154.226.6.57:http ESTABLISHED
  TCP makinon:1095 193.115.124.116:http ESTABLISHED
  TCP makinon:1097 15.150.103.235:http ESTABLISHED
  TCP makinon:1098 54.39.221.38:http ESTABLISHED
  TCP makinon:1099 93.184.82.98:http ESTABLISHED
  TCP makinon:1100 132.73.200.157:http ESTABLISHED
  TCP makinon:1101 171.218.61.217:http ESTABLISHED
  TCP makinon:1102 210.107.179.20:http ESTABLISHED
  TCP makinon:1104 32.142.158.139:http ESTABLISHED
  TCP makinon:1105 71.31.20.199:http ESTABLISHED
  TCP makinon:1106 110.176.255.26:http ESTABLISHED
  TCP makinon:1107 149.65.117.86:http ESTABLISHED
  TCP makinon:1108 188.210.234.145:http ESTABLISHED
  TCP makinon:1110 10.245.213.8:http ESTABLISHED
  TCP makinon:1111 49.134.75.68:http ESTABLISHED
  TCP makinon:1112 88.23.193.127:http ESTABLISHED
  TCP makinon:1113 40.182.56.187:http ESTABLISHED
  TCP makinon:1114 166.57.172.246:http LAST_ACK
  TCP makinon:1115 205.202.33.50:http ESTABLISHED
  TCP makinon:1117 27.237.12.169:http ESTABLISHED
  TCP makinon:1118 66.126.130.228:http ESTABLISHED
  TCP makinon:1119 105.15.248.31:http ESTABLISHED
  TCP makinon:1120 144.160.109.91:http ESTABLISHED
  TCP makinon:1121 183.49.227.150:http ESTABLISHED
  TCP makinon:1122 222.194.88.210:http LAST_ACK
  TCP makinon:1123 5.84.206.13:http ESTABLISHED
  TCP makinon:1124 44.229.67.73:http ESTABLISHED
  TCP makinon:1125 83.118.47.157:http ESTABLISHED
  TCP makinon:1126 57.104.20.196:http ESTABLISHED
  TCP makinon:1127 122.7.165.216:http ESTABLISHED
  TCP makinon:1128 161.152.26.20:http ESTABLISHED
  TCP makinon:1129 200.41.144.79:http ESTABLISHED
  TCP makinon:1131 22.76.123.198:http LAST_ACK
  TCP makinon:1132 61.221.240.1:http ESTABLISHED
  TCP makinon:1133 100.110.102.61:http ESTABLISHED
  TCP makinon:1134 139.255.219.120:http ESTABLISHED
  TCP makinon:1135 178.144.81.180:http ESTABLISHED
  TCP makinon:1136 217.33.199.239:http ESTABLISHED
  TCP makinon:1137 0.179.60.43:http ESTABLISHED
  TCP makinon:1138 39.68.178.102:http ESTABLISHED
  TCP makinon:1139 78.213.39.162:http ESTABLISHED
  TCP makinon:1140 117.102.157.221:http ESTABLISHED
  TCP makinon:1141 156.247.18.25:http ESTABLISHED
  TCP makinon:1142 195.136.136.84:http ESTABLISHED
  TCP makinon:1144 17.171.115.203:http ESTABLISHED
  TCP makinon:1145 201.68.51.228:http ESTABLISHED
  TCP makinon:1146 58.224.4.214:http ESTABLISHED
  TCP makinon:1147 135.140.185.80:http ESTABLISHED
  TCP makinon:1148 171.123.214.199:http LAST_ACK
  TCP makinon:1149 28.23.208.154:http ESTABLISHED
  TCP makinon:1151 207.106.243.62:http ESTABLISHED
  TCP makinon:1152 141.178.161.140:http ESTABLISHED
  TCP makinon:1153 64.6.237.17:http LAST_ACK
  TCP makinon:1155 177.161.190.3:http ESTABLISHED
  TCP makinon:1156 34.61.144.245:http ESTABLISHED
  TCP makinon:1157 147.216.137.200:http ESTABLISHED
  TCP makinon:1158 189.211.16.73:http ESTABLISHED
  TCP makinon:1159 207.122.53.32:http ESTABLISHED
  TCP makinon:1160 81.145.71.248:http SYN_SENT
  TCP makinon:1161 92.133.126.132:http SYN_SENT
  TCP makinon:1162 165.218.228.184:http SYN_SENT
  TCP makinon:1163 3.161.4.30:http SYN_SENT
  TCP makinon:1164 171.0.237.218:http SYN_SENT
  TCP makinon:1165 107.3.22.3:http SYN_SENT
  TCP makinon:1166 209.164.48.6:http SYN_SENT
  TCP makinon:1167 163.25.165.51:http SYN_SENT
  TCP makinon:1169 33.187.157.109:http SYN_SENT
  TCP makinon:1170 7.37.34.60:http SYN_SENT
  TCP makinon:1171 203.2.75.30:http SYN_SENT
  TCP makinon:1172 183.39.214.243:http SYN_SENT
  TCP makinon:1173 74.222.225.56:http SYN_SENT
  TCP makinon:netbios-ssn makinon:0 LISTENING
  TCP makinon:1037 JUMBOTRON:netbios-ssn TIME_WAIT
  UDP makinon:epmap *:*
  UDP makinon:microsoft-ds *:*
  UDP makinon:1028 *:*
  UDP makinon:3456 *:*
  UDP makinon:netbios-ns *:*
  UDP makinon:netbios-dgm *:*
  UDP makinon:isakmp *:*



Relevant Pages

  • Re: [Full-Disclosure] OpenSSH is a good choice?
    ... >>we are all targets. ... > take a recent phpBB worm Santy for an example. ... high port that turns into a popular p2p port in a years time and it ... Anyway - In this specific case, if the OP wanted to further restrict ssh ...
    (Full-Disclosure)
  • Re: RPC/DCOM Worm Released
    ... > 'sightings' of a new worm which seeks to exploit the latest ... more-targets RPC exploit is released: first one had 3 targets, ... Also security research group unveiled this vulnerability reports they ... Security Consultant / Trainer ...
    (microsoft.public.inetserver.iis.security)
  • Re: Note on Swen from a newbie victim
    ... >> Does the worm run continuously on an infected machine and send ... >> repeatedly to its targets? ... > Does it matter, we are still getting stuff from code red attempts and ...
    (comp.security.misc)
  • [Full-Disclosure] RE: new outbreak warning - Bagle
    ... What am I missing about this worm? ... I'm speculating that small shops / home users are the largest targets. ... *shouldn't* enterprise ... This possible worm outbreak warning was received on TH-Research (The ...
    (Full-Disclosure)