[68986] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

UDP port 4000 traffic: likely a new worm

daemon@ATHENA.MIT.EDU (Johannes B. Ullrich)
Sat Mar 20 03:44:01 2004

From: "Johannes B. Ullrich" <jullrich@sans.org>
Reply-To: jullrich@sans.org
To: nanog@merit.edu
Date: Sat, 20 Mar 2004 03:43:07 -0500
Errors-To: owner-nanog-outgoing@merit.edu

--=-hFJXNBjWfSLPZvO0Flia
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Looks like there may be a worm going around hitting systems that run
BlackIce. Common characteristics of the packets: Source port 4000 (but
random target port) and the string=20
"insert witty message here".

details will be posted here:
http://isc.sans.org/diary.html
as I get them together.

--=20
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich@sans.org=20

contact details: http://johannes.homepc.org/contact.htm

--=-hFJXNBjWfSLPZvO0Flia
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQBAXAQbRDLv/omzS/ARAsCXAKCJyvuwDyncDcXOnjsYYxrU1EoryACgjl4+
O/NS03ho2STH5LTb92p9Olk=
=+FPE
-----END PGP SIGNATURE-----

--=-hFJXNBjWfSLPZvO0Flia--


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[68986] in North American Network Operators' Group

UDP port 4000 traffic: likely a new worm

daemon@ATHENA.MIT.EDU (Johannes B. Ullrich)Sat Mar 20 03:44:01 2004

daemon@ATHENA.MIT.EDU (Johannes B. Ullrich)
Sat Mar 20 03:44:01 2004