New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)

• Previous message: Steven M. Christey: "Re: Good practicle php attack example"
• Next in thread: Tom Sands: "Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)"
• Reply: Tom Sands: "Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Several (see http://diswww.mit.edu/charon/nanog/52239) have noticed
Slapper using UDP port 4156 today (and apparently yesterday as well
as I can see from netflow logs).

I've also noticed a Slapper variant apparently using UDP port 1978
today as well (one of our hosts on which Slapper is no longer active
is continuing to receive UDP packets to and from port 1978 from many
Internet sites).

H. Morrow Long
University Information Security Officer
Director, Information Security Office
Yale University, ITS



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Björn Wallentinus: "Re: new IIS worm? (rcp lsass.exe)"
• Previous message: Steven M. Christey: "Re: Good practicle php attack example"
• Next in thread: Tom Sands: "Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)"
• Reply: Tom Sands: "Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 22 2002 - 16:58:36 PDT