I believe this is the so called "Good Worm" known as the W32.Welchia.Worm http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html Under the technial details of the above URL look at item 7 Chris On 22 Aug 2003, Ryan McConky wrote: > In-Reply-To: <Law15-F50f3sllNY30k0001b928at_private> > > We are seeing the same thing on our routers. What is troubling me is that > it is incrementing the dest ip by one each second. Like it is scanning. > It is scanning internal and external networks. Most traced to Asian > countries. Anyone else seeing this? > > > >Received: (qmail 16964 invoked from network); 20 Aug 2003 03:58:07 -0000 > >Received: from outgoing3.securityfocus.com (205.206.231.27) > > by mail.securityfocus.com with SMTP; 20 Aug 2003 03:58:07 -0000 > >Received: from lists.securityfocus.com (lists.securityfocus.com > [205.206.231.19]) > > by outgoing3.securityfocus.com (Postfix) with QMQP > > id 86B45A406D; Tue, 19 Aug 2003 21:58:28 -0600 (MDT) > >Mailing-List: contact incidents-helpat_private; run by ezmlm > >Precedence: bulk > >List-Id: <incidents.list-id.securityfocus.com> > >List-Post: <mailto:incidentsat_private> > >List-Help: <mailto:incidents-helpat_private> > >List-Unsubscribe: <mailto:incidents-unsubscribeat_private> > >List-Subscribe: <mailto:incidents-subscribeat_private> > >Delivered-To: mailing list incidentsat_private > >Delivered-To: moderator for incidentsat_private > >Received: (qmail 30349 invoked from network); 19 Aug 2003 20:12:52 -0000 > >X-Originating-IP: [203.220.152.185] > >X-Originating-Email: [morgs808at_private] > >From: "morgs ." <morgs808at_private> > >To: incidentsat_private > >Subject: ICMP port 2048 scans > >Date: Wed, 20 Aug 2003 12:17:12 +1000 > >Mime-Version: 1.0 > >Content-Type: text/plain; format=flowed > >Message-ID: <Law15-F50f3sllNY30k0001b928at_private> > >X-OriginalArrivalTime: 20 Aug 2003 02:17:13.0787 (UTC) FILETIME= > [2B4FB0B0:01C366C1] > > > >Is it just me or is anyone else getting nailed every 1 minite from > various > >sources asking for a connection to port 2048. There seems to be various > >services that use this port including things like router configuration > and > >ssh in some cases. Some new worm or virus maybe? > > > >_________________________________________________________________ > >Hot chart ringtones and polyphonics. Go to > >http://ninemsn.com.au/mobilemania/default.asp > > > > > >------------------------------------------------------------------------- > -- > >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > > - Automatically Control P2P, IM and Spam Traffic > > - Ensure Reliable Performance of Mission Critical Applications > > - Precisely Define and Implement Network Security and Performance > Policies > >**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo > >Visit us at: > >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 > >------------------------------------------------------------------------- > --- > > > > > > --------------------------------------------------------------------------- > Attend Black Hat Briefings & Training Federal, September 29-30 (Training), > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier > technical IT security event. Modeled after the famous Black Hat event in > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. > Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com > ---------------------------------------------------------------------------- > -- .~. /V\ /( )\ ^^-^^ --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:04:51 PDT