RE: Unusual DNS and port 37 requests

From: Bojan Zdrnja (Bojan.Zdrnja_at_LSS.hr)
Date: 08/20/03

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: lots of sobig virus emails." 
    To: <S.Waterhouse@ST-JEAN.RMC.CA>, <incidents@securityfocus.com>
Date: Wed, 20 Aug 2003 16:02:22 +1200

    > -----Original Message-----
    > From: S.Waterhouse@ST-JEAN.RMC.CA
    > [mailto:S.Waterhouse@ST-JEAN.RMC.CA]
    > Sent: Wednesday, 20 August 2003 7:03 a.m.
    > To: incidents@securityfocus.com
    > Subject: Unusual DNS and port 37 requests
    > Importance: High
    >
    >
    > 1. For the past hours, we've monitored massive DNS lookups
    > initiated from the inside to outside for resolution, enough
    > to flood the link therefore slowing the pace at which we can
    > work. Have any of you seen this kind of behaviour ? One
    > company is currently monitoring the same situation elsewhere,
    > same criteria.
    >
    > 2. And in between the previous point,, we have many request
    > asking for time updates on port 37, which I never saw before.
    > Any ideas ?
    >
    > 3. Have a nice day to all

    Nice day or not, I've been fighting Sobig-F whole day :)

    Both requests that you've seen come from Sobig-F and I can see that traffic
    as well. This one spreads like hell, be sure to check your e-mail servers.

    Also, one precaution - I had to turn off all message notifications for
    recipiends as the worm makes huge amount of traffic.

    Regards,

    Bojan Zdrnja

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: lots of sobig virus emails."

    Relevant Pages

    • Re: Web Chaining - Ausgehender Port für SSL
      ... den isa, weil du ihre browserkonfigurationen angepasst hast. ... somit schickt dein isa die requests an den squid und bittet jenen ... auseinandernimmt und je nach Aufbau an den entsprechenden Port ... Also bekommt der upstream-Proxy das nur auf die entsprechenden Ports ...
      (microsoft.public.de.german.isaserver)
    • Re: ARP question
      ... UDP port 1026, ... As far as I know ARP requests are only made in LANs and it's impossible ... I got 1871 ARP requests, 1870 were from the Cable company, and one was ...
      (Fedora)
    • Host configuration problem?
      ... I have recently set up a server running FreeBSD 6 to host a test web ... memory usage, CPU never dips below 80%ish idle and memory stays pretty ... Apache 2.2.0.6 that serves static content and forwards dynamic requests ... should be established on the same localhost port. ...
      (comp.unix.bsd.freebsd.misc)
    • Re: PPC MSMQ Help!
      ... I believe that Active Sync is the culprit here in blocking requests. ... Here is a snippet about how to allow AS to forward port requests. ... connections being generated from your desktop machine itself, ...
      (microsoft.public.pocketpc.developer)
    • Re: Web Chaining - Ausgehender Port für SSL
      ... isa, weil du ihre browserkonfigurationen angepasst hast. ... somit schickt dein isa die requests an den squid und bittet jenen wiederum ... dass der ISA auf Port 80 ein HTTP-Connect an den Squid stellt.. ... Also bekommt der upstream-Proxy das nur auf die entsprechenden Ports ...
      (microsoft.public.de.german.isaserver)