Educause Security Discussion mailing list archives
Re: Any ideas?
From: Clyde Hoadley <hoadleyc () MSCD EDU>
Date: Mon, 19 Jan 2004 14:49:03 -0700
What you are describing doesn't sound like Bagle to me. You might have "Backdoor.Kaitex" or something similar. There are a lot of backdoors that use TCP port 6667. See: "http://securityresponse.symantec.com/avcenter/venc/data/backdoor.kaitex.html"; Many IRC servers listen on port 6667. There have been some DoS attacks against IRC servers in the past. See: "http://seclists.org/lists/incidents/2001/Jul/0050.html"; --Clyde Piscitello, Frank wrote:
I don't think it's bagle, because this started up on Friday morning. Also, my computers are looking for the the 68.202 address via port 6667, they are not listening on the port. ------------------------------------------------------------------ Frank J. Piscitello, Jr. Information Security Manager Office of Information Security West Chester University of PA http://www.wcupa.edu/infoservices/security/ Security is everyone's responsibility. -----Original Message----- From: Cam Beasley, ISO [mailto:cam () AUSTIN UTEXAS EDU] Sent: Monday, January 19, 2004 4:32 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Any ideas? This is linked to the new Beagle/Bagle worm.. Also possibly TCP 39999. ~cam. Cam Beasley ITS/Information Security Office The University of Texas at Austin cam () mail utexas edu --------------------------- Report Abuse To: - abuse () utexas edu - 512.475.9242 --------------------------------Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Piscitello, Frank Sent: Monday, January 19, 2004 3:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Any ideas? I have what I'm assuming is a worm/scanner that is attempting to connect to 68.202.199.235 on port 6667. The mystery is that the sourceIP seems to be every address on my one student subnet. The IP packet is 60bytes and the Frame is 74 bytes. There is no actual data. Any ideas? -Frank ------------------------------------------------------------------ Frank J. Piscitello, Jr. Information Security Manager Office of Information Security West Chester University of PA West Chester, PA 19383 Phone: 610-436-3192 Fax: 610-436-3110 http://www.wcupa.edu/infoservices/security/ Security is everyone's responsibility. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found athttp://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Any ideas? Piscitello, Frank (Jan 19)
- <Possible follow-ups>
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Christopher Condie (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Matthew Keller (Jan 19)
- Re: Any ideas? Clyde Hoadley (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)