| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040422084542.GA2228@maya.vse.cz> From: janus at volny.cz (Honza Vlach) Subject: Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Hi, we've experienced this worm too, and disinfected it as a new variant of Agobot (Gaobot). Basically it exploits poorly protected windows shared, RCP Dcom bug in windows etc. (most of the people infected had admin/admin login/passwords on their computers with default C$ share. Combine this with heavily unpatched system and Agobot can pick an attack vector according to it's current mood :-) By the way, it also acts as an IRC backdoor, which makes infected computers zombies. more info at: http://www.mynetwatchman.com/tools/sc/Agobot.htm http://isc.sans.org/diary.php?date=2004-04-01 http://www.sophos.com/virusinfo/analyses/w32agobotga.html Should be detected and disinfected by major antiviruses by now. Avast4 worked well for us. http://www.asw.cz/i_idt_1404.html Have a nice day, Honza Vlach On Wed, Apr 21, 2004 at 02:16:04AM -0700, mgotts@...ads.com wrote: > To: Jeff Kell <jeff-kell@....edu> > Cc: Incidents <incidents@...urityfocus.com>, > General DShield Discussion List <list@...ield.org> > Subject: Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 > X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003 > From: mgotts@...ads.com > Date: Wed, 21 Apr 2004 02:16:04 -0700 > > > > > Sound familiar to anyone? > > > > Have not seen the particular virus/worm, but have seen scans from single > IPs of ports 6129, 2745, 135, 445, 1025, 3127 in sequence. > > 6129 is default port for dameware remote control agent: > http://isc.sans.org/port_details.php?port=6129 > > 3127 is used by MyDoom, Novarg and variants > http://isc.sans.org/port_details.php?isc=4359007a189bdac49792ce2e8ac2f7f0&port=3127&repax=1&tarax=2&srcax=2&percent=N&days=40 > > I'd start with these. But it could, as always, be yet another variant. > Lucky you. > > -- Mark Gottschalk > Two Roads Professional Resources -- () ascii ribbon campaign - against html mail /\ - against microsoft attachments -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040422/10a878dd/attachment.bin
Powered by blists - more mailing lists