Home page logo
/

nanog logo nanog mailing list archives

Re: W32/Sobig-F - Halflife correlation ???
From: "Darren Smith" <data () barrysworld com>
Date: Mon, 25 Aug 2003 23:07:38 +0100


Did anyone else see anything with regards to this thread?

Regards

Darren Smith

----- Original Message ----- 
From: "Darren Smith" <data () barrysworld com>
To: "Robert Blayzor" <rblayzor () inoc net>; "North American Network Operators Group"
<nanog () merit edu>
Sent: Saturday, August 23, 2003 1:22 PM
Subject: Re: W32/Sobig-F - Halflife correlation ???



Hi

Just a quick look at my syslog file, where MOO is the name of my ACL.

fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c
2383

fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c
459

fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c
210

fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c
59

As you can see most of them were on 27015, these logs were from just one of
my transit interfaces.

Best Regards

Darren Smith

----- Original Message ----- 
From: "Robert Blayzor" <rblayzor () inoc net>
To: "North American Network Operators Group" <nanog () merit edu>
Sent: Saturday, August 23, 2003 1:05 PM
Subject: Re: W32/Sobig-F - Halflife correlation ???



On 8/23/03 7:17 AM, "Darren Smith" <data () barrysworld com> wrote:

They were trying to hit servers in multiple subnets, all on ports 270XX.

I'm not sure on this.  Lots of gaming servers use the 270XX UDP range.
Quake3, HL, etc.

It may be possible it's just probing for other HL servers running on
different ports.  A lot of these games also use the same gaming engine for
the network and graphics abilities, so it's possible HL may not be the
only
"game server" in the mix, it may be any game that uses the HL engine.  I
know there are several out there, Counterstrike being one of them.

So if it's not looking for a HL only exploit, I'd bet it's trying to get
the
infected machines to link up and communicate via the network of gaming
servers.  This could be very bad because there could be virtually no way
to
stop this other than taking down the "Game Spy" type networks so the
computers can't find each other.

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor () inoc net
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

"Oh my God, Space Aliens!!  Don't eat me, I have a wife and kids!
                Eat them!"  -- Homer J. Simpson







  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]