Hello all,

Just a fun incident here.

This page http://isc.incidents.org/aion.html) describes the modified
slapper worm running port 4156 UDP instead of 2002.

Our honeypot (RH Linux 7.x) was hit with this thing. I figured that by now
ukr.net have taken care of the email address and nobody will get an email
from the worm.

I was in for a big surprise. A bit less than a half day after the worm
left its deadly trace on the box, it started downloading tools and talking
IRC (as usual, in good ole Romanian)...

I have not noticed any prior scans for port 1052.

So it appears that folks are using those newly built worm networks. I
suspect that people look for worm scans on their own boxes and then take
over the machines that scan. I just started looking thru the logs and I
begin to see IRC channels where those "worm" hang out...

Best,

-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]