lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: api at epost.de (Axel Pettinger) Subject: Which worm? bob sagart wrote: > > Hey everyone > The other night I decided to see what traffic I could capture on tcp > port 3127 (MyDoom backdoor) since I have been getting a lot of > connection attemps showing up in my firewall logs. > I got several dumps of the traffic using > nc -l -p 3127 > out.dmp > most of them are around 10-20kB which I thought was the about the > right size of most of the worms and backdoors using that port. But one > of the dumps I got was 150kB and I was just wondering if anyone could > tell me what I might be? It's likely that it is one of the many (NAI counts more than 542) "Gaobot" (aka "Agobot") variants. NAI's description: http://vil.nai.com/vil/content/v_100785.htm To be sure simply check the file using Kaspersky's Online Virus Scanner: http://www.kaspersky.com/scanforvirus.html > I cannot send it as an attachment as hotmail says it is a virus. "Exploit-Mydoom.b"? Regards, Axel Pettinger