[34272] in bugtraq

home help back first fref pref prev next nref lref last post

Strange traffic - Outgoing TCP 3127/3198 (Not mydoom) New worm?

daemon@ATHENA.MIT.EDU (Steve Browning)
Sat Mar 27 13:18:26 2004

From: "Steve Browning" <browningsteve@hotmail.com>
To: bugtraq@securityfocus.com
Date: Sat, 27 Mar 2004 01:25:10 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <BAY15-F7hNfv57kVwyr0003350b@hotmail.com>

Everyone, over the past 4 days I have been observing very random outgoing 
connection requests to a single external machine on the inet over ports 3127 
and 3198.

The three machines in question are running Windows 2000 Server with all 
security fixes and current Symantec anti-virus definitions.  The following 
characteristics are being observed:

1.  Outgoing connections started on Tuesday morning.  Approximately 3 probes 
an hour.

2.  Each machine is trying to reach the same IP address on the inet. (IP 
belongs to a private company)

3.  Probes slowed down on Tuesday afternoon, then stopped altogether.  On 
Wednesday afternoon I observed a couple of more probes then nothing.

I have scanned these machines with AV software, no viruses detected, and 
because the ports in question are normally associated with 
Novarg/mydoom/doomjuice I ran the removal utilities from Microsoft and the 
AV vendor which detected nothing either.

I visited the machines and ran FPORT, PSlist and a couple of other tools and 
detected no unusual processes.  I also scanned each of the machines with 
Nmap and Nessus and detected nothing out of the ordinary. (no open ports 
other then MS stuff etc)  I have blocked all outgoing access to the IP in 
question. (the ports were already closed incoming/outgoing)  I have also 
placed a sniffer in front of these machines configured to capture traffic 
going to the suspect IP address, so far nothing.

Does anyone have any idea whether there is an unknown virus/worm using TCP 
3127/3198?  I will be rebuilding these machines shortly but I just wanted to 
get some feedback or see whether anyone else was experiencing similiar 
problems.

Thanks in advance for any replies,

Steve

_________________________________________________________________
MSN Premium includes powerful parental controls and get 2 months FREE*   
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
home help back first fref pref prev next nref lref last post