[68993] in North American Network Operators' Group
Re: UDP port 4000 traffic: likely a new worm
daemon@ATHENA.MIT.EDU (Josh Richards)
Sat Mar 20 14:10:26 2004
Date: Sat, 20 Mar 2004 11:09:50 -0800
From: Josh Richards <jrichard@digitalwest.net>
To: nanog@merit.edu
In-Reply-To: <1079772187.27878.88.camel@bart>
Errors-To: owner-nanog-outgoing@merit.edu
Confirmed. We had our first customer (colo) hit yesterday evening at
20:43 PST. Additionally, they experienced the hard drive corruption (which
was added to the ISC diary entry within the last several hours). Traffic
was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant
60 Mbit/s before we took them off-line.
-jr
* Johannes B. Ullrich <jullrich@sans.org> [20040320 00:44]:
> Looks like there may be a worm going around hitting systems that run
> BlackIce. Common characteristics of the packets: Source port 4000 (but
> random target port) and the string
> "insert witty message here".
>
> details will be posted here:
> http://isc.sans.org/diary.html
> as I get them together.
--
Josh Richards | Colocation Web Hosting Bandwidth
Digital West Networks | +1 805 781-9378 / www.digitalwest.net
San Luis Obispo, CA | AS14589 & AS29962
jrichard@digitalwest.net | DWNI - Making Internet Business Better
