[69030] in North American Network Operators' Group
AW: UDP port 4000 traffic: likely a new worm
daemon@ATHENA.MIT.EDU (Florian Frotzler)
Mon Mar 22 14:03:39 2004
From: "Florian Frotzler" <florian.frotzler@gmx.at>
To: <nanog@merit.edu>
Cc: <noc@ewave.at>
Date: Mon, 22 Mar 2004 20:02:47 +0100
In-Reply-To: <20040321234648.3db01d0b@honkintosh>
Errors-To: owner-nanog-outgoing@merit.edu
I can acknowledge that we see the worm also in Europe/Austria. Today we
had a customer with a Black Ice firewall flooding us with random
4000/udp traffic before we shut him down.
Kind Regards,
--
DI (FH) Florian Frotzler
IT Planning
e W ) a ) v ) e
eWave Telekommunikation GmbH
A-1210 Wien, Ignaz-Koeck-Strasse 1
> Von: George Bakos
>
> The number of immediately vulnerable hosts was rapidly
> depleted by the worm, given the launch was AFTER most
> business had shut down for the weekend. I'll venture that
> Black Ice, a commercial security product, is deployed much
> more widely on the corporate laptop than the home machine.
>
> I expect to see more than a slight bump in those numbers come
> Monday AM.
>
> g
>
> On Sat, 20 Mar 2004 13:50:30 -0800
> Josh Richards <jrichard@digitalwest.net> wrote:
>
> > The good news is that "witty" appears to not be a very witty
> > propagator. Our flow data shows attempts to connect to 4000/udp on
> > hosts in our network having a downward trend over the last
> few hours:
> >
> > Time Unique Source IPs
> > 08:00 350
> > 09:00 332
> > 10:00 297
> > 11:00 298
> > 12:00 265
>
>
> --
> George Bakos
> Institute for Security Technology Studies
> Dartmouth College
> gbakos@ists.dartmouth.edu
> 603.646.0665 -voice
> 603.646.0666 -fax
>
> pub 1024D/081ECB85 1999-04-09 George Bakos
> <gbakos@ists.dartmouth.edu>
> Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102
> 9EB2 081E CB85
>
>
