Re: ICMP port 2048 scans

From: cbirch (opus_at_ircore.com)
Date: 08/24/03

  • Next message: Kirt Cathey: "RE: Trojan?"
    Date: Sat, 23 Aug 2003 19:12:28 -0500 (CDT)
    To: Ryan McConky <rmcconky@webmd.net>
    
    

    I believe this is the so called "Good Worm" known as the W32.Welchia.Worm

    http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

    Under the technial details of the above URL look at item 7

    Chris

    On 22 Aug 2003, Ryan McConky wrote:

    > In-Reply-To: <Law15-F50f3sllNY30k0001b928@hotmail.com>
    >
    > We are seeing the same thing on our routers. What is troubling me is that
    > it is incrementing the dest ip by one each second. Like it is scanning.
    > It is scanning internal and external networks. Most traced to Asian
    > countries. Anyone else seeing this?
    >
    >
    > >Received: (qmail 16964 invoked from network); 20 Aug 2003 03:58:07 -0000
    > >Received: from outgoing3.securityfocus.com (205.206.231.27)
    > > by mail.securityfocus.com with SMTP; 20 Aug 2003 03:58:07 -0000
    > >Received: from lists.securityfocus.com (lists.securityfocus.com
    > [205.206.231.19])
    > > by outgoing3.securityfocus.com (Postfix) with QMQP
    > > id 86B45A406D; Tue, 19 Aug 2003 21:58:28 -0600 (MDT)
    > >Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
    > >Precedence: bulk
    > >List-Id: <incidents.list-id.securityfocus.com>
    > >List-Post: <mailto:incidents@securityfocus.com>
    > >List-Help: <mailto:incidents-help@securityfocus.com>
    > >List-Unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
    > >List-Subscribe: <mailto:incidents-subscribe@securityfocus.com>
    > >Delivered-To: mailing list incidents@securityfocus.com
    > >Delivered-To: moderator for incidents@securityfocus.com
    > >Received: (qmail 30349 invoked from network); 19 Aug 2003 20:12:52 -0000
    > >X-Originating-IP: [203.220.152.185]
    > >X-Originating-Email: [morgs808@hotmail.com]
    > >From: "morgs ." <morgs808@hotmail.com>
    > >To: incidents@securityfocus.com
    > >Subject: ICMP port 2048 scans
    > >Date: Wed, 20 Aug 2003 12:17:12 +1000
    > >Mime-Version: 1.0
    > >Content-Type: text/plain; format=flowed
    > >Message-ID: <Law15-F50f3sllNY30k0001b928@hotmail.com>
    > >X-OriginalArrivalTime: 20 Aug 2003 02:17:13.0787 (UTC) FILETIME=
    > [2B4FB0B0:01C366C1]
    > >
    > >Is it just me or is anyone else getting nailed every 1 minite from
    > various
    > >sources asking for a connection to port 2048. There seems to be various
    > >services that use this port including things like router configuration
    > and
    > >ssh in some cases. Some new worm or virus maybe?
    > >
    > >_________________________________________________________________
    > >Hot chart ringtones and polyphonics. Go to
    > >http://ninemsn.com.au/mobilemania/default.asp
    > >
    > >
    > >-------------------------------------------------------------------------
    > --
    > >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
    > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > > - Automatically Control P2P, IM and Spam Traffic
    > > - Ensure Reliable Performance of Mission Critical Applications
    > > - Precisely Define and Implement Network Security and Performance
    > Policies
    > >**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > >Visit us at:
    > >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    > >-------------------------------------------------------------------------
    > ---
    > >
    > >
    >
    > ---------------------------------------------------------------------------
    > Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    > technical IT security event. Modeled after the famous Black Hat event in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    > Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    > ----------------------------------------------------------------------------
    >

    -- 
        .~.
        /V\
       /( )\
       ^^-^^
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
    technical IT security event.  Modeled after the famous Black Hat event in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Kirt Cathey: "RE: Trojan?"

    Relevant Pages

    • Re: Can anyone identify this possible backdoor?
      ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Incidents)
    • Re: Pen Test mistake
      ... Subject: Pen Test mistake ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symanetc is the Diamond sponsor. ...
      (Pen-Test)
    • RE: Re: Hunting for Mr Badmouth
      ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ... Attend Black Hat Briefings & Training Federal, September 29-30, ...
      (Security-Basics)
    • RE: Windows XP Pro cracker?
      ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • RE: Windows XP Pro cracker?
      ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in Las Vegas! ... Symantec is the Diamond sponsor. ...
      (Security-Basics)