|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
mgotts
2roads.com
Date: Wed Apr 21 2004 - 04:16:04 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>
> Sound familiar to anyone?
>
Have not seen the particular virus/worm, but have seen scans from single
IPs of ports 6129, 2745, 135, 445, 1025, 3127 in sequence.
6129 is default port for dameware remote control agent:
http://isc.sans.org/port_details.php?port=6129
3127 is used by MyDoom, Novarg and variants
http://isc.sans.org/port_details.php?isc=4359007a189bdac49792ce2e8ac2f7f0&port=3127&repax=1&tarax=2&srcax=2&percent=N&days=40
I'd start with these. But it could, as always, be yet another variant.
Lucky you.
-- Mark Gottschalk
Two Roads Professional Resources
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]