RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

From: Chris Harrington (cmh_at_nmi.net)
Date: 04/21/04

  • Next message: Jeff Kell: "Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127"
    To: "'Jeff Kell'" <jeff-kell@utc.edu>
    Date: Wed, 21 Apr 2004 10:41:22 -0400
    
    

    Jeff,

    Those are most likely Phatbot / Agobot / Gaobot infections.
    http://www.lurhq.com/phatbot.html I am seeing a lot of hosts trying to
    connect to our networks on those ports. In addition I also see ports 4387
    and 5000 in the scans. Snort rules pick these up as Agobot variants.

    Phatbot tries to replicate thru:

    Mydoom, port 3127
    Dameware, port 6129
    Universal PnP, port 5000
    WebDAV, port 80
    MS SQL, port 1434
    Bagle, port 4387

    Symantec does have info on removal under W32.HLLW.Gaobot.gen:
    http://www.sarc.com/avcenter/venc/data/pf/w32.hllw.gaobot.gen.html

    Good luck with it.

    --
    Christopher Harrington, CISSP
    Security Engineer
    NMI InfoSecurity Solutions
    207-780-6381, x236
    http://www.nmi.net
    -----Original Message-----
    From: Jeff Kell [mailto:jeff-kell@utc.edu] 
    Sent: Tuesday, April 20, 2004 10:02 PM
    To: General DShield Discussion List; Incidents
    Subject: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
    We have had a significant outbreak of a yet-unidentified virus on campus
      covering several dozen machines and one remote lab (possibly 100 in all).
    The characteristics I have observed remotely (no possibility of forensics
    at the moment, just shutting down ports) are as follows:
    * listens on two random, high-numbered tcp ports
    * picks a random address within the infected machine's /8 subnet
    * scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral
       source ports (the source port is not fixed).
    It could have gained entry via tcp/1025 as all the others are blocked on
    ingress, or it could have been brought inside via laptop.  Strangely enough
    it has not been detected in our dorms (where most of our slime tends to
    grow).  An off-campus lab connected via half a T1 was almost entirely
    consumed, I have shutdown their serial interface (can't diagnose this one
    as the packet loss was incredibly high).
    I suspect this originated as one of the MS04-xxxx exploits patched last
    week, we've already done this exercise with other RPC-ish vulnerabilities
    and taken time to update lab machines.
    Sound familiar to anyone?
    Jeff Kell
    University of Tennessee at Chattanooga
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    -
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Jeff Kell: "Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127"