Certainly looks strange. Can you tell us something about the infected host (OS, services, etc.)? It's hard to tell how this is operating without that information. It will also give us insight into whether this way have been a worm, virus infection, targeted compromise, etc. Also curious as to what information, if any, you have that leads you to believe that this may be a worm. It's targets appear to be random (not generated by any obvious, calculated method), which may be coming from a list, or could be entered manually if someone has control of this box. Also, a quick spot check indicates that most of the destinations are FTP servers, all of which appear to be properly functioning as FTP servers (nothing else has taken over those ports). Could just be a compromised host being used to scan for anon. FTP, etc. It also doesn't appear to be a DDoS, as you're really not hitting any single target with any amount of data. And no agents appear to be running (first glance, anyway) on the targets. I don't have NMAP capability outside of this network right now, so I can't check. Cheers Keith -----Original Message----- From: Eric Weaver [mailto:eric.weaverat_private] Sent: Friday, April 05, 2002 10:00 AM To: Incidentsat_private Subject: POSSIBLE WORM / DDOS ? POSSIBLE WORM / DDOS Appears to be target port 21 and/or spreading via SMB. This is all I have right now: ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Apr 05 2002 - 12:12:43 PST