lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 27 Mar 2004 01:25:10 +0000
From: "Steve Browning" <browningsteve@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Strange traffic - Outgoing TCP 3127/3198 (Not mydoom) New worm?


Everyone, over the past 4 days I have been observing very random outgoing 
connection requests to a single external machine on the inet over ports 3127 
and 3198.

The three machines in question are running Windows 2000 Server with all 
security fixes and current Symantec anti-virus definitions.  The following 
characteristics are being observed:

1.  Outgoing connections started on Tuesday morning.  Approximately 3 probes 
an hour.

2.  Each machine is trying to reach the same IP address on the inet. (IP 
belongs to a private company)

3.  Probes slowed down on Tuesday afternoon, then stopped altogether.  On 
Wednesday afternoon I observed a couple of more probes then nothing.

I have scanned these machines with AV software, no viruses detected, and 
because the ports in question are normally associated with 
Novarg/mydoom/doomjuice I ran the removal utilities from Microsoft and the 
AV vendor which detected nothing either.

I visited the machines and ran FPORT, PSlist and a couple of other tools and 
detected no unusual processes.  I also scanned each of the machines with 
Nmap and Nessus and detected nothing out of the ordinary. (no open ports 
other then MS stuff etc)  I have blocked all outgoing access to the IP in 
question. (the ports were already closed incoming/outgoing)  I have also 
placed a sniffer in front of these machines configured to capture traffic 
going to the suspect IP address, so far nothing.

Does anyone have any idea whether there is an unknown virus/worm using TCP 
3127/3198?  I will be rebuilding these machines shortly but I just wanted to 
get some feedback or see whether anyone else was experiencing similiar 
problems.

Thanks in advance for any replies,

Steve

_________________________________________________________________
MSN Premium includes powerful parental controls and get 2 months FREE*   
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ