North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: UDP port 4000 traffic: likely a new worm
- From: Josh Richards
- Date: Sat Mar 20 16:52:45 2004
The good news is that "witty" appears to not be a very witty propagator.
Our flow data shows attempts to connect to 4000/udp on hosts in our
network having a downward trend over the last few hours:
Time Unique Source IPs
(all times PST)
* Josh Richards <email@example.com> [20040320 11:10]:
> Confirmed. We had our first customer (colo) hit yesterday evening at
> 20:43 PST. Additionally, they experienced the hard drive corruption (which
> was added to the ISC diary entry within the last several hours). Traffic
> was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant
> 60 Mbit/s before we took them off-line.
> * Johannes B. Ullrich <firstname.lastname@example.org> [20040320 00:44]:
> > Looks like there may be a worm going around hitting systems that run
> > BlackIce. Common characteristics of the packets: Source port 4000 (but
> > random target port) and the string
> > "insert witty message here".
> > details will be posted here:
> > http://isc.sans.org/diary.html
> > as I get them together.
Josh Richards | Colocation Web Hosting Bandwidth
Digital West Networks | +1 805 781-9378 / www.digitalwest.net
San Luis Obispo, CA | AS14589 & AS29962
email@example.com | DWNI - Making Internet Business Better