Re: ICMP port 2048 scans

• Previous message: Mahoney, Paul: "RE: [Incidents] Sobig.F style email with no attachments"
• In reply to: Ryan McConky: "Re: ICMP port 2048 scans"
• Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: ICMP port 2048 scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 23 Aug 2003 19:12:28 -0500 (CDT)
To: Ryan McConky <rmcconky@webmd.net>

I believe this is the so called "Good Worm" known as the W32.Welchia.Worm

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Under the technial details of the above URL look at item 7

Chris

On 22 Aug 2003, Ryan McConky wrote:

> In-Reply-To: <Law15-F50f3sllNY30k0001b928@hotmail.com>
>
> We are seeing the same thing on our routers. What is troubling me is that
> it is incrementing the dest ip by one each second. Like it is scanning.
> It is scanning internal and external networks. Most traced to Asian
> countries. Anyone else seeing this?
>
>
> >Received: (qmail 16964 invoked from network); 20 Aug 2003 03:58:07 -0000
> >Received: from outgoing3.securityfocus.com (205.206.231.27)
> > by mail.securityfocus.com with SMTP; 20 Aug 2003 03:58:07 -0000
> >Received: from lists.securityfocus.com (lists.securityfocus.com
> [205.206.231.19])
> > by outgoing3.securityfocus.com (Postfix) with QMQP
> > id 86B45A406D; Tue, 19 Aug 2003 21:58:28 -0600 (MDT)
> >Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
> >Precedence: bulk
> >List-Id: <incidents.list-id.securityfocus.com>
> >List-Post: <mailto:incidents@securityfocus.com>
> >List-Help: <mailto:incidents-help@securityfocus.com>
> >List-Unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
> >List-Subscribe: <mailto:incidents-subscribe@securityfocus.com>
> >Delivered-To: mailing list incidents@securityfocus.com
> >Delivered-To: moderator for incidents@securityfocus.com
> >Received: (qmail 30349 invoked from network); 19 Aug 2003 20:12:52 -0000
> >X-Originating-IP: [203.220.152.185]
> >X-Originating-Email: [morgs808@hotmail.com]
> >From: "morgs ." <morgs808@hotmail.com>
> >To: incidents@securityfocus.com
> >Subject: ICMP port 2048 scans
> >Date: Wed, 20 Aug 2003 12:17:12 +1000
> >Mime-Version: 1.0
> >Content-Type: text/plain; format=flowed
> >Message-ID: <Law15-F50f3sllNY30k0001b928@hotmail.com>
> >X-OriginalArrivalTime: 20 Aug 2003 02:17:13.0787 (UTC) FILETIME=
> [2B4FB0B0:01C366C1]
> >
> >Is it just me or is anyone else getting nailed every 1 minite from
> various
> >sources asking for a connection to port 2048. There seems to be various
> >services that use this port including things like router configuration
> and
> >ssh in some cases. Some new worm or virus maybe?
> >
> >_________________________________________________________________
> >Hot chart ringtones and polyphonics. Go to
> >http://ninemsn.com.au/mobilemania/default.asp
> >
> >
> >-------------------------------------------------------------------------
> --
> >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
> > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> > - Automatically Control P2P, IM and Spam Traffic
> > - Ensure Reliable Performance of Mission Critical Applications
> > - Precisely Define and Implement Network Security and Performance
> Policies
> >**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> >Visit us at:
> >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> >-------------------------------------------------------------------------
> ---
> >
> >
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
> technical IT security event. Modeled after the famous Black Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
> ----------------------------------------------------------------------------
>

-- 
    .~.
    /V\
   /( )\
   ^^-^^
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

• Previous message: Mahoney, Paul: "RE: [Incidents] Sobig.F style email with no attachments"
• In reply to: Ryan McConky: "Re: ICMP port 2048 scans"
• Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: ICMP port 2048 scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]