Loading...
[get complete service list]
Top of page
Top of page
Port Information
Protocol Service Name
tcp --- ---
tcp checkmk-agent Checkmk Monitoring Agent
Top IPs Scanning
Today Yesterday
199.45.155.58 (8)185.198.69.198 (47)
206.168.34.190 (6)162.216.18.113 (39)
185.198.69.198 (6)143.42.164.97 (17)
206.168.34.182 (5)199.45.155.53 (16)
199.45.155.60 (5)206.168.34.59 (10)
206.189.19.19 (4)167.99.181.249 (9)
34.68.34.65 (3)167.94.145.97 (8)
52.73.92.61 (3)199.45.154.74 (8)
199.45.154.77 (3)172.105.16.34 (7)
45.141.86.11 (3)209.97.180.8 (6)
User Comments
Submitted By Date
Comment
Jim Chrisos - LURHQ - www.lurhq.com 2005-08-03 07:27:49
Backdoor.Win32.Codbot.ag(Kaspersky), W32.Toxbot(Symantec), W32/Sdbot.worm.gen.w(McAfee) http://www.globalhauri.com/html/support/virus_read.html?code=BAW3000732 If it is connected to particular IRC Channel with Remote Port 6556(IRC Server Port), The command of Operator is executed to attempting the particular Port(Port 80, 135, 137, 445) sanning and IP scanning with random IP. If the following vulnerabilities are found at the system, the Backdoor is downloaded and executed in the relevant system. Also, it is connected to the particular IRC Channel with remote Port 6556 by the command of Operator so the system information is exposed or worm is sent to the other IRC users. 1. It uses the following Windows security vulnerabilities. - Network Share set with the password eaay to be presumed. - RPC DCOM Vulnerability (Microsoft Security board MS03-026), TCP Port 135 and 445 - NetDDE Vulnerability (Microsoft Security Board MS04-031) - WebDav Vulnerability (Microsoft Security Board MS03-007), TCP Port 80 - NetBios Vulnerability(Microsoft Security Board MS03-034), UDP Port 137, 139 - LSASS Vulnerability (Microsoft Security Board MS04-011), TCP/UDP Port 135 and 445 *Notes : Remote Code Execution Vulnerability exists in the NetDDE(Network Dynamic Data Exchange) service because of the buffer which isn't checked. NetDDE service isn't basically started. Attacker is able to misuse those vulnerabilities in the remote by starting manually or by the application program that needs NetDDE. 2. It uses the vulnerability of Microsoft SQL Server. It uses MS-sql mssqlpass Vulnerability, the password of 'sa' account, and TCP Port 1433. *Notes : When MS-sql is installed, 'sa' account basically created aren't set the password so it infects by attempting log-in with scanning MS-sql that has those vulnerabilities. Also, the important information such as the information of system environment or password are sent to the operator or the malicious code programmer. Lots of Network traffics are occurred when scanning the attacking target.
Top of page
CVE Links
CVE # Description
Top of page