RE: TCP port 5000 syn increasing

From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 05/19/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: TCP port 5000 syn increasing"
    Date: Wed, 19 May 2004 10:26:40 -0500
    To: nick@virus-l.demon.co.uk, incidents@securityfocus.com
    
    

    --On Wednesday, May 19, 2004 10:58:34 AM +1200 Nick FitzGerald
    <nick@virus-l.demon.co.uk> wrote:

    > Paul Schmehl <pauls@utdallas.edu> wrote:
    >
    >> I'd be inclined to agree with you, Jose. I suspect this is something
    >> new that's been "distributed" through a bot network of already
    >> compromised machines (Agobot/Gaobot). I'm seeing *some* correlation
    >> between hosts "poking" me on 3217 and 6129 (Agobot for sure) and 5000,
    >> but not on the other ports.
    >
    > By "*some* correlation" do you mean "temporally close" or just "these
    > IPs hit those three ports in the last 24 hours"?
    >
    I mean both at the same time and from the same IP. Unfortunately, Roger
    hasn't made it easy to extract serial data from wormradar yet, or I would
    post the evidence here. What I've been seeing for some time now is a
    massive amount of probes on ports 3127 and 6129 (repeatedly from the same
    IP addresses) interspersed with an occasional probe on 5000 from the *same*
    IP. This leads me to believe that at least *some* of the 5000 probing is
    deliberate rather than automated.

    Furthermore, I saw the first probe on 5000 on 4/24, long before either of
    the recent worms being blamed for this traffic came out. Joe Stewart makes
    a good case for at least *some* of that traffic coming from the one worm
    (I'm sorry, but the names all seem to run together these days), but I'm not
    convinced that all of it is.

    BTW, I second your comments about wormradar. Everyone should have at least
    one running on their network, if for no other reason than to amaze them
    with the amount of crap floating around on the Internet.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/ir/security/

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040517
    ----------------------------------------------------------------------------


  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: TCP port 5000 syn increasing"

    Relevant Pages

    • RE: Protecting Multiple Public IP Workstations
      ... The right approach is to block everything, and then unblock the ports ... > Security Linux, the comprehensive security solution that combines six ... Protect your network against hackers, viruses, spam and other risks with Astaro ...
      (Security-Basics)
    • OT: What will he do next?
      ... That was National Security. ... President Bush said Tuesday that a deal allowing an Arab company to take ... Senate Republican Leader Bill Frist urged the administration to ... Ports World, a state-owned business in the United Arab Emirates. ...
      (comp.sys.hp.mpe)
    • Re: Political Analysis of Security Products
      ... > bee collected nor has any evidence of such a backdoor ever really been ... send several packets to ports on the target system. ... be used for booth sides of the security game. ...
      (Pen-Test)
    • Re: Finally, a secure computer
      ... paranoia in the security aspects of IIS administration. ... security at the IBM website is compromised, ... I ran a port check on 10,000 plus ports (I ... > trouble downloading updates [I'm not sure about AVG pro, ...
      (microsoft.public.inetserver.iis.security)
    • Re: Port security, continued
      ... CITING NATIONAL SECURITY, ... WASHINGTON - PRESIDENT BUSH WAS UNAWARE OF THE PENDING SALE ... THE WHITE HOUSE SAID WEDNESDAY. ... EMERGENCY LEGISLATION TO SUSPEND THE PORTS DEAL. ...
      (sci.med.transcription)