Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

"Worm riders" on 4156?
From: "Anton Chuvakin, Ph.D., GCIA" <anton () chuvakin org>
Date: Mon, 23 Sep 2002 18:55:09 -0400 (EDT)
Hello all,

Just a fun incident here.

This page http://isc.incidents.org/aion.html)  describes the modified
slapper worm running port 4156 UDP instead of 2002.

Our honeypot (RH Linux 7.x) was hit with this thing. I figured that by now
ukr.net have taken care of the email address and nobody will get an email
from the worm.

I was in for a big surprise. A bit less than a half day after the worm
left its deadly trace on the box, it started downloading tools and talking
IRC (as usual, in good ole Romanian)...

I have not noticed any prior scans for port 1052.

So it appears that folks are using those newly built worm networks. I
suspect that people look for worm scans on their own boxes and then take
over the machines that scan. I just started looking thru the logs and I
begin to see IRC channels where those "worm" hang out...

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
  • "Worm riders" on 4156? Anton Chuvakin, Ph.D., GCIA (Sep 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]