[69002] in North American Network Operators' Group
Re: UDP port 4000 traffic: likely a new worm
daemon@ATHENA.MIT.EDU (Rodney Joffe)
Sat Mar 20 20:54:15 2004
Date: Sat, 20 Mar 2004 20:52:58 -0500
From: "Rodney Joffe" <rjoffe@centergate.com>
Reply-To: "Rodney Joffe" <rjoffe@centergate.com>
To: jrichard@digitalwest.net
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
Unfortunately the vulnerability has proven to not be restricted to port 4000. Keep monitoring SANS :-(
-----Original Message-----
From: Josh Richards <jrichard@digitalwest.net>
Date: Sat, 20 Mar 2004 13:50:30
To:nanog@merit.edu
Subject: Re: UDP port 4000 traffic: likely a new worm
The good news is that "witty" appears to not be a very witty propagator.
Our flow data shows attempts to connect to 4000/udp on hosts in our
network having a downward trend over the last few hours:
Time Unique Source IPs
08:00 350
09:00 332
10:00 297
11:00 298
12:00 265
(all times PST)
-jr
* Josh Richards <jrichard@digitalwest.net> [20040320 11:10]:
>
> Confirmed. We had our first customer (colo) hit yesterday evening at
> 20:43 PST. Additionally, they experienced the hard drive corruption (which
> was added to the ISC diary entry within the last several hours). Traffic
> was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant
> 60 Mbit/s before we took them off-line.
>
> -jr
>
> * Johannes B. Ullrich <jullrich@sans.org> [20040320 00:44]:
> > Looks like there may be a worm going around hitting systems that run
> > BlackIce. Common characteristics of the packets: Source port 4000 (but
> > random target port) and the string
> > "insert witty message here".
> >
> > details will be posted here:
> > http://isc.sans.org/diary.html
> > as I get them together.
--
Josh Richards | Colocation Web Hosting Bandwidth
Digital West Networks | +1 805 781-9378 / www.digitalwest.net
San Luis Obispo, CA | AS14589 & AS29962
jrichard@digitalwest.net | DWNI - Making Internet Business Better
