Re: Port 6635

From: Matthew Leeds (mleedsat_private)
Date: Fri Sep 21 2001 - 09:45:32 PDT

Next message: Midnight Ryder: "Re: Yet Another Nimda Thread (YANT)"

Previous message: Portnoy, Gary: "Yet Another Nimda Thread (YANT)"
In reply to: Craig, Scott: "Port 6635"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Most likely the Lion worm. Take a look at:

http://www.sans.org/y2k/041001.htm
and
http://www.sans.org/y2k/040301-1430.htm

for similar activity.

---Matthew

*********** REPLY SEPARATOR  ***********

On 9/21/2001 at 8:27 AM Craig, Scott wrote:

>We received a very fast scan (probe) for port 6635 last night. I did a
>search through the messages on the incidents.org mailing list and didn't
>see
>any conclusive findings as to the tools being used or the purpose. Does
>anyone have any further information on this yet?
>
>The probe occurred on 9/20/01 at 22:16 Eastern time. All within the same
>minute, lasting only 2 seconds.
>
>			Source				  Dest.
>Source IP		Port		Destination IP's	  Port
>Protocol
>---------         ------      ------------------  ----  --------
>216.89.160.33	6635		MYIP.xxx.xxx.1-254  6635  TCP
>
>
>Sorry, but I don't have a copy of the raw packet for display to determine
>any of the flags being used.
>
>--
>
>DNS lookup done this morning came back to:
>flare-raq1.flarenetworks.com
>
>
>SAVVIS Communications (NETBLK-SAVVIS7) SAVVIS7	   216.88.0.0 -
>216.91.255.255
>Flare Interactive (NETBLK-SAVV-FLAREINTER2) SAVV-FLAREINTER2
> 
>216.89.160.0 - 216.89.161.255
>
>
>Server used for this query: [ whois.arin.net ]
>
>   Flare Interactive (NETBLK-SAVV-FLAREINTER2)
>   233 Linden Street
>   Fort Collins, CO 80524
>   US
>
>   Netname: SAVV-FLAREINTER2
>   Netblock: 216.89.160.0 - 216.89.161.255
>   Maintainer: FLAR
>
>   Coordinator:
>      MacDonald, Kyle  (KM372-ARIN)  kylemacat_private
>      970-470-3300
>
>   Record last updated on 10-Apr-2000.
>   Database last updated on 20-Sep-2001 23:16:45 EDT.
>
>==========
>
>Server used for this query: [ whois.arin.net ]
>
>   SAVVIS Communications (NETBLK-SAVVIS7)
>   717 Office Parkway
>   Creve Coeur, MO 63141
>   US
>
>   Netname: SAVVIS7
>   Netblock: 216.88.0.0 - 216.91.255.255
>   Maintainer: SAVV
>
>   Coordinator:
>      SAVVIS A Bridge Company  (ZS36-ARIN)  ipadminat_private
>      314-468-7000
>
>   Domain System inverse mapping provided by:
>
>   NS1.SAVVIS.NET		209.16.211.42
>   NS2.SAVVIS.NET		204.194.10.206
>
>   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
>
>   Record last updated on 10-Mar-2000.
>   Database last updated on 20-Sep-2001 23:16:45 EDT.
>
>
>Scott
>
>
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Midnight Ryder: "Re: Yet Another Nimda Thread (YANT)"
Previous message: Portnoy, Gary: "Yet Another Nimda Thread (YANT)"
In reply to: Craig, Scott: "Port 6635"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 10:04:34 PDT