Port 39999; Possible Vesser/W32.HLLW.Deadhat activity
For the most part, it was a pretty quiet day, with just the normal noise on the Internet. Here are some things:
Port 39999
Activity to port 39999 was reported today. It appears that may be attempts to connect to a Trojan called Trojan.mitglieder.b.html that sets up a proxy on this port and is used to send spam. Once a system is infected, the Trojan will notify certain sites of the compromise. For more information see
http://www.symantec.com/avcenter/venc/data/trojan.mitglieder.b.html
**As a side note, don't forget that many folks connecting to the Internet use DHCP and as a result, they often inheirit the IP of someone offering services or infected by malicious code that listens on a certain port. As a result, you may see unusual and maybe persistant connection attempts to the port on your box as a result.**
Possible Vesser/W32.HLLW.Deadhat activity
More reports of activity on ports 3127, 3128 and 1080 are coming in. This seems to be consistant with the worm Vesser/W32.HLLW.Deadhat activity. For more information on this see the diary entry from 7 February 04.
http://isc.sans.org/diary.html?date=2004-02-07
Lorna Hutcheson
Port 39999
Activity to port 39999 was reported today. It appears that may be attempts to connect to a Trojan called Trojan.mitglieder.b.html that sets up a proxy on this port and is used to send spam. Once a system is infected, the Trojan will notify certain sites of the compromise. For more information see
http://www.symantec.com/avcenter/venc/data/trojan.mitglieder.b.html
**As a side note, don't forget that many folks connecting to the Internet use DHCP and as a result, they often inheirit the IP of someone offering services or infected by malicious code that listens on a certain port. As a result, you may see unusual and maybe persistant connection attempts to the port on your box as a result.**
Possible Vesser/W32.HLLW.Deadhat activity
More reports of activity on ports 3127, 3128 and 1080 are coming in. This seems to be consistant with the worm Vesser/W32.HLLW.Deadhat activity. For more information on this see the diary entry from 7 February 04.
http://isc.sans.org/diary.html?date=2004-02-07
Lorna Hutcheson
Keywords:
0 comment(s)
×
Diary Archives
Comments