Certainly looks strange. Can you tell us something about the infected
host (OS, services, etc.)? It's hard to tell how this is operating
without that information. It will also give us insight into whether
this way have been a worm, virus infection, targeted compromise, etc.
Also curious as to what information, if any, you have that leads you to
believe that this may be a worm. It's targets appear to be random (not
generated by any obvious, calculated method), which may be coming from a
list, or could be entered manually if someone has control of this box.
Also, a quick spot check indicates that most of the destinations are FTP
servers, all of which appear to be properly functioning as FTP servers
(nothing else has taken over those ports). Could just be a compromised
host being used to scan for anon. FTP, etc.
It also doesn't appear to be a DDoS, as you're really not hitting any
single target with any amount of data. And no agents appear to be
running (first glance, anyway) on the targets. I don't have NMAP
capability outside of this network right now, so I can't check.
Cheers
Keith
-----Original Message-----
From: Eric Weaver [mailto:eric.weaver_at_ids2.net]
Sent: Friday, April 05, 2002 10:00 AM
To: Incidents_at_securityfocus.com
Subject: POSSIBLE WORM / DDOS ?
POSSIBLE WORM / DDOS
Appears to be target port 21 and/or spreading via SMB. This is all I
have
right now:
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Apr 05 2002
Intro
