Another new worm ?

From: Russell Fulton (r.fultonat_private)
Date: Sun Apr 29 2001 - 18:28:05 PDT

Next message: Jason Lewis: "Have you seen this in your logs?"

Previous message: Hugo van der Kooij: "Re: IP 1.2.3.4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've just spotted another pattern in my slow scanning logs:
there are several machine probing 21 tcp ports on random addresses in
our network.
Here is a typical bunch of probes:

29 Apr 01 08:49:10   s       tcp    24.180.92.60.1822   ->    130.216.61.178.1008  S_
29 Apr 01 08:49:14   s       tcp    24.180.92.60.1891   ->    130.216.61.178.1524  S_
29 Apr 01 08:49:18   s       tcp    24.180.92.60.1959   ->    130.216.61.178.2400  S_
29 Apr 01 08:49:22   s       tcp    24.180.92.60.2025   ->    130.216.61.178.3879  S_
29 Apr 01 08:49:26   s       tcp    24.180.92.60.2092   ->    130.216.61.178.5300  S_
29 Apr 01 08:49:30   s       tcp    24.180.92.60.2179   ->    130.216.61.178.6635  S_
29 Apr 01 08:49:34   s       tcp    24.180.92.60.2267   ->    130.216.61.178.6723  S_
29 Apr 01 08:49:38   s       tcp    24.180.92.60.2334   ->    130.216.61.178.8282  S_
29 Apr 01 08:49:42   s       tcp    24.180.92.60.2423   ->    130.216.61.178.9112  S_
29 Apr 01 08:49:46   s       tcp    24.180.92.60.2511   ->    130.216.61.178.9705  S_
29 Apr 01 08:49:50   s       tcp    24.180.92.60.2577   ->    130.216.61.178.10008 S_
29 Apr 01 08:49:54   s       tcp    24.180.92.60.2644   ->    130.216.61.178.11753 S_
29 Apr 01 08:49:58   s       tcp    24.180.92.60.2711   ->    130.216.61.178.12345 S_
29 Apr 01 08:50:02   s       tcp    24.180.92.60.2778   ->    130.216.61.178.12754 S_
29 Apr 01 08:50:06   s       tcp    24.180.92.60.2846   ->    130.216.61.178.15104 S_
29 Apr 01 08:50:10   s       tcp    24.180.92.60.2912   ->    130.216.61.178.22252 S_
29 Apr 01 08:50:14   s       tcp    24.180.92.60.2985   ->    130.216.61.178.29369 S_
29 Apr 01 08:50:18   s       tcp    24.180.92.60.3062   ->    130.216.61.178.31337 S_
29 Apr 01 08:50:22   s       tcp    24.180.92.60.3182   ->    130.216.61.178.33567 S_
29 Apr 01 08:50:26   s       tcp    24.180.92.60.3261   ->    130.216.61.178.39168 S_
29 Apr 01 08:50:30   s       tcp    24.180.92.60.3369   ->    130.216.61.178.60008 S_

S_ indicates a SYN packet with no response.  Probe rates for these are
vary from around one to five addresses within our /16 per day, although
they are fairly easy to pick up because of the number of port probed.

These first showed up in my logs 2 days ago (first traffic on 27th)
and there are now over 20 sources with this very distinctive
signature.  Source address have a wide distribution, both within the
IP address space and geographically.

Looks to me like a worm that is infecting already compromised machines.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Next message: Jason Lewis: "Have you seen this in your logs?"
Previous message: Hugo van der Kooij: "Re: IP 1.2.3.4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 29 2001 - 19:32:39 PDT