lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <005e01c3629e$1149f440$9302a8c0@Constant> From: jeremiah at nur.net (Jeremiah Cornelius) Subject: New Blaster variant using UDP port 1038? > We're starting to see exploit attempts that are followed by probes from the infected host on tcp/4444, > and then UDP/1038. Has anyone else seen this? Yeah. And UDP/1026. I mailed this yesterday: Interesting phenomenon emerging: We have noticed in our log aggregators that some of the same hosts yesterday that were doing port 135 scans... today seem to be doing some port 1026 scans. This is a listener port for MS Messenger. List follwers will remember that this has been used as an avenue for spammers to send "pop-up" alerts on users desktops. farm9 (the InfoSec group I work for) is keeping an eye on this - we correlate syslog, winlog, IDS and firewall data from a dozen or so enterprises. Has anybody spotted similar activity? It would be interesting to see if this is a new worm iteration. Maybe sombody clever has figured they can deliver MSSBlast.exe or phallus32.exe via Messenger. I have already noticed curious folks that find that they can bind to a shell on 4444, and are now fiddling around here - for a minute or so... ;-) -- Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut farm9 Security email: jc@...m9.com - mobile: 415.235.7689 "What would be the use of immortality to a person who cannot use well a half hour?" --Ralph Waldo Emerson
Powered by blists - more mailing lists