lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <OFC79DF88C.39F235CF-ON85256DA3.0059B813@internalgroove.net>
From: Jeff_Lopes at groove.net (Jeff_Lopes@...ove.net)
Subject: New worm on port 445 ?

Look here --> http://www.sophos.com/virusinfo/analyses/w32slanpera.html



|---------+-------------------------------------->
|         |           Torge Szczepanek           |
|         |           <full-disclosure@...zepanek|
|         |           .de>                       |
|         |           Sent by:                   |
|         |           full-disclosure-admin@...ts|
|         |           .netsys.com                |
|         |                                      |
|         |                                      |
|         |           09/16/2003 03:55 AM        |
|         |                                      |
|---------+-------------------------------------->
  >---------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                             |
  |       To:       full-disclosure@...ts.netsys.com                                                                                            |
  |       cc:                                                                                                                                   |
  |       Subject:  [Full-Disclosure] New worm on port 445 ?                                                                                    |
  >---------------------------------------------------------------------------------------------------------------------------------------------|




Hi!

I am receiving some amount of traffic on Port 445. Is this a new worm
using the new discovered RPC-DCOM 039 issue or some other rather old
stuff?!? Anybody seen this too?

09:42:21.663609 x.y.21.z.1825 > 142.160.144.11.445: S
821570346:821570346(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:21.965317 x.y.21.z.1827 > 142.160.144.12.445: S
821737415:821737415(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:22.770055 x.y.21.z.1829 > 142.160.144.13.445: S
822039122:822039122(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:23.277790 x.y.21.z.1831 > 142.160.144.14.445: S
822992385:822992385(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:23.768451 x.y.34.z.3313 > 61.1.233.234.445: S
2522939543:2522939543(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:23.868584 x.y.34.z.3311 > 61.1.233.233.445: S
2521375962:2521375962(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:24.123001 x.y.34.z.3315 > 61.1.233.235.445: S
2523847096:2523847096(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:24.242447 x.y.34.z.3317 > 61.1.233.236.445: S
2523956316:2523956316(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:24.687108 x.y.21.z.1833 > 142.160.144.15.445: S
823437284:823437284(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:25.316677 x.y.34.z.3319 > 61.1.233.237.445: S
2524334266:2524334266(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:25.686965 x.y.21.z.1819 > 142.160.144.8.445: S
820773285:820773285(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:25.878556 x.y.34.z.3321 > 61.1.233.238.445: S
2524583492:2524583492(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:26.290585 x.y.21.z.1831 > 142.160.144.14.445: S
822992385:822992385(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:26.491632 x.y.21.z.1821 > 142.160.144.9.445: S
821065804:821065804(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:26.592166 x.y.21.z.1823 > 142.160.144.10.445: S
821179393:821179393(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:26.707247 x.y.34.z.3323 > 61.1.233.239.445: S
2524895980:2524895980(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:27.074483 x.y.34.z.3315 > 61.1.233.235.445: S
2523847096:2523847096(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:27.174529 x.y.34.z.3317 > 61.1.233.236.445: S
2523956316:2523956316(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:27.698642 x.y.21.z.1833 > 142.160.144.15.445: S
823437284:823437284(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:27.698669 x.y.21.z.1825 > 142.160.144.11.445: S
821570346:821570346(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:28.000360 x.y.21.z.1827 > 142.160.144.12.445: S
821737415:821737415(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)

--
Torge Szczepanek <full-disclosure@...zepanek.de>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ