RE: New script-kiddie looking scan

From: David Jacoby (dj@outpost24.com)
Date: 06/19/02 

Date: Wed, 19 Jun 2002 14:55:58 +0200
From: David Jacoby <dj@outpost24.com>
To: incidents@securityfocus.com

Hi!

Seince the remote exploit for the Shoutcast and Icecast daemons was released
there have been alot or scans on these ports. It can be some autorooter
but what i can see from your logfile it looks like its just a vulnerability scanner.
Scanning for recent vulnerabilities.

But i dont think its a worm becuase worms often use use a specific vulnerability
to exploit.

David Jacoby
Chief Hacker
Outpost24

http://www.outpost24.com

On Tue, 18 Jun 2002 00:27:41 -0400
"Jeff Kell" <jeff-kell@utc.edu> wrote:

> I'm noticing a growing number of scans of four ports (1433, 8000, 3128,
> and 8080, in succession from increasing source ports). These are
> MS-SQL, WinAmp, Ring Zero, and HTTP proxy. The scans look like:
>
> 2002/06/15 05:12:45 217.34.122.73:2374 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:8080 HTTP Proxy Scan
> 2002/06/15 05:12:45 217.34.122.73:2375 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:3128 RingZero
> 2002/06/15 05:12:45 217.34.122.73:2376 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:8000 WinAmp Shoutcast / iRDMI
> 2002/06/15 05:12:45 217.34.122.73:2377 (host217-34-122-73.in-addr.btopenworld.com) 24.158.203.217:1433 Microsoft-SQL-Server
>
> These have come from sources as diverse as Great Britain, Italy, China,
> etc. I suppose the $64K question is: is this a simple script-kiddie
> scan, or perhaps a new worm signature as it attempts to propagate?
>
> Jeff

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Nimda Worm Alert
    ... A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept ... It utilizes multiple IIS ... Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability ...
    (Incidents)
  • Nimda Worm Alert
    ... A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept ... It utilizes multiple IIS ... Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability ...
    (Focus-IDS)
  • CERT Advisory CA-2001-23
    ... We believe the worm will begin propagating again on ... susceptible to the vulnerability described in CA-2001-13 Buffer ... time required to infect all vulnerable IIS servers with this worm ... and egress filtering should be implemented at the network edge. ...
    (Cert)
  • Re: Ingers spam email claims
    ... Suppose I'm a worm and I have just found a vulnerable share on ... machines, and because machines become vulnerable within hours of the ... last microsoft vulnerability patch release, ... therefore my work email account has been rendered virtually useless ...
    (sci.archaeology)
  • An email from my ISP about Windows Messenger
    ... Rather than wait for the next Internet worm disaster to ... Messenger) service which enables full system compromise. ... The Messenger service vulnerability affects basically all ... * Remember the SQL Slammer worm and the havoc it wrecked? ...
    (microsoft.public.security)