lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <005e01c3629e$1149f440$9302a8c0@Constant>
From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: New Blaster variant using UDP port 1038?

> We're starting to see exploit attempts that are followed by probes from
the infected host on tcp/4444,
> and then UDP/1038.  Has anyone else seen this?

Yeah. And UDP/1026.

 I mailed this yesterday:


Interesting phenomenon emerging:

We have noticed in our log aggregators that some of the same hosts yesterday
that were doing port 135 scans... today seem to be doing some port 1026
scans.  This is a listener port for MS Messenger.  List follwers will
remember that this has been used as an avenue for spammers to send "pop-up"
alerts on users desktops.

farm9 (the InfoSec group I work for) is keeping an eye on this - we
correlate syslog, winlog, IDS and firewall data from a dozen or so
enterprises.

Has anybody spotted similar activity?  It would be interesting to see if
this is a new worm iteration.  Maybe sombody clever has figured they can
deliver MSSBlast.exe or phallus32.exe via Messenger.

I have already noticed curious folks that find that they can bind to a shell
on 4444, and are now fiddling around here - for a minute or so... ;-)

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut
farm9 Security
email: jc@...m9.com - mobile: 415.235.7689

"What would be the use of immortality to a person who cannot use well a half
hour?"
--Ralph Waldo Emerson


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ