|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: TCP port 5000 syn increasing
From: Nick FitzGerald (nick
virus-l.demon.co.uk)
Date: Tue May 18 2004 - 17:58:34 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Paul Schmehl <paulsutdallas.edu> wrote:
> I'd be inclined to agree with you, Jose. I suspect this is something new
> that's been "distributed" through a bot network of already compromised
> machines (Agobot/Gaobot). I'm seeing *some* correlation between hosts
> "poking" me on 3217 and 6129 (Agobot for sure) and 5000, but not on the
> other ports.
By "*some* correlation" do you mean "temporally close" or just "these
IPs hit those three ports in the last 24 hours"?
Bot nets can, of course, be useful as launching pads for all manner of
other malware if the bot net owner so wishes. But also keep in mind
that bot net agents tend to be running on the most under-administered
and thus least patched (Windows) machines on the net, so even "smart"
bot net agents that close their own compromise access point (relatively
rare) so the bot net agent can't be "re-infected" or overrun through
that hole, are likely to be on machines with plenty of other
exploitable access methods (as an example, I just cleaned up an XP Home
machine infested with Nachi.B and Sasser.A, plus a backdoor Trojan that
is not one of the self-spreading ones -- I could not determine how the
latter got on the machine in the time available and the client didn't
care that much, but any post-SP1 vuln or recent Outlook/OE trick or
straight-out SE would all be options).
> Of course with the cut and paste worms that are coming out these days, who
> can say what it really might be?
This is also quite an issue...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040517
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]