Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
From: Charles Hamby (fixer_at_gci.net)
Date: 04/21/04
- Previous message: Maccy: "log message"
- In reply to: Jeff Kell: "Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127"
- Next in thread: Chris Harrington: "RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 Apr 2004 06:51:09 -0800 To: Jeff Kell <jeff-kell@utc.edu>
Jeff Kell wrote:
> Charles Hamby wrote:
>
>> Jeff,
>>
>> Aside from the scanning order this sounds remarkably like a bug that
>> we're battling right now. It's taken out about 150 or so of of our
>> hosts. As of right now we don't know what the bug is, but we
>> deployed a honeypot yesterday to try to capture the malware and see
>> if we can ID the beast.
>
>
> It appears to be a Gaobot derivative. Changes the home page to be
> <semi-random-chars>.t.muxa.cc. Google for muxa.cc and you'll get some
> pointers.
>
> Jeff
>
>
I assume this means you've managed to capture a sample? If so can you
provide any details (e.g. vector, method of compromise, etc.). Like you
I'm figuring on one of the 04-0xx vulns, but I'd like to know for sure.
-cdh
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Maccy: "log message"
- In reply to: Jeff Kell: "Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127"
- Next in thread: Chris Harrington: "RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
