Port 1025/6000 Action (Part II)

Published: 2005-12-11. Last Updated: 2005-12-11 20:53:00 UTC
by Tony Carothers (Version: 1)
0 comment(s)

As reported by Koon Tan yesterday we have seen, and are continuing to see, increased activity reported by more users now.  The link below will show a graph that indicates activity over the past ~72 hours.

http://isc.sans.org/images/port1025tcp.png



We still need full packet captures to help nail this down, so if anybody has them please submit them via the 'Contact' link at the top of the page.

Core Security Technologies has an excellent article on this subject and RPC Vulnerabilities.  One highlight from this article is that the "patches for these vulnerabilities ..... effectively fix the problem(s)" with the vunerabilities used in the discussion.  All of the vulnerabilities are more than 18 months old; these fixed have been out for some time, giving lots of time for admins to perform testing and loading of said patches.

Keywords:
0 comment(s)

Port 53 Back on the Radar

Published: 2005-12-11. Last Updated: 2005-12-11 20:44:44 UTC
by Tony Carothers (Version: 1)
0 comment(s)
Handler Patrick N. pointed out that port 53 has made a comeback as of late, with the release of W32.Spybot.ABDO.  Symantec's write-up points out that Spybot.ABDO "Opens a back door by connecting to an IRC server on the following domain through TCP port 53".  Looking at the Port 53 Report using DShield data, the amount of targets has more than doubled in the past ~48 hours.
 
Something to keep in mind is that this time there may be several unscrupulous activities using 53.  Other malware that has been discovered in recent months, using Port 53, include Backdoor.Civcat, Trojan.Esteems.C, Trojan.Esteems, and W32.Beagle.BH@mm. 

Any thoughts welcome.....

Keywords:
0 comment(s)

Comments

Login here to join the discussion.


Diary Archives