Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

From: Joe Stewart <jstewart () lurhq com>
Date: Wed, 21 Apr 2004 16:26:28 -0500
Just to update everyone on what Agobot scans for these days: With newer 
variants, the scanned-for port list is:

80,135,139,445,1025,1433,2082,2745,3127,5000,6129

Here are the details:

Scans port 135 for MS03-039 "DCOM2" vulnerability
Scans port 139 for MS03-049 Workstation vulnerability
Scans port 1433 for weak MSSQL administrator passwords
Scans port 2082 for CPanel vulnerability (OSVDB ID: 4205)
Scans port 2745 for backdoor left by the Bagle Virus
Scans port 3127 for MyDoom.A backdoor
Scans port 5000 for MS01-059 UPnP vulnerability
Scans port 6129 for Dameware vulnerability (OSVDB ID: 3042)
Scans port 80 for MS03-007 WebDav vulnerability
Scans ports 135, 445 and 1025 for MS03-032 vulnerability
Scans ports 139 and 445 for weak Netbios passwords

It was reported earlier that it scans port 445 for the MS03-001 Locator 
service vulnerability but this feature doesn't appear to work.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: