[69456] in North American Network Operators' Group
Re: worm information
daemon@ATHENA.MIT.EDU (Jack McCarthy)
Mon Apr 12 06:43:54 2004
Date: Sat, 10 Apr 2004 11:36:37 -0700 (PDT)
From: Jack McCarthy <nanog@jackmccarthy.com>
Reply-To: nanog@jackmccarthy.com
To: nanog@merit.edu
Cc: chris@bblabs.com
In-Reply-To: <B0007605104@mail.bblabs.net>
Errors-To: owner-nanog-outgoing@merit.edu
Agobot scanning...
Take a look at these links:
http://isc.sans.org/diary.php?date=2004-04-05
http://isc.sans.org/diary.php?date=2004-04-01
http://isc.sans.org/diary.php?date=2004-04-09
Also, take a read through the "New Worm???" thread at:
http://www.dshield.org/pipermail/intrusions/2004-April/thread.php
-Jack
--- "Christopher J. Wolff" <chris@bblabs.com> wrote:
>
> Hello,
>
> Over the last few days I've seen a number of hosts attempt to initiate TCP
> connections to the following ports in sequence.
>
> 80
> 139
> 445
> 6129
> 3127
> 1025
> 135
> 2745
> ...repeat.
>
> At this moment I haven't seen a correlation between this activity and the
> port exploitation list on CERT. Any insight would be appreciated, thank
> you.
>
> Regards,
> Christopher J. Wolff, VP CIO
> Broadband Laboratories, Inc.
> http://www.bblabs.com
>
>
>
>
>
