[Gllug] Slapper worm
Mark Lowes
hamster at korenwolf.net
Wed Sep 18 11:23:06 UTC 2002
On Wed, 2002-09-18 at 12:10, John Winters wrote:
> Hmm. I've just had a look. The probes I'm seeing are to:
>
> TCP 22
Looking for recent openssh hole
> TCP 23
Does anyone leave telnet open anymore?
> TCP 25
> TCP 1080
> TCP 3128
> TCP 8080
Open relays.
> TCP 443
slapper.
> TCP 1433
mssql bug
> TCP 1521
> TCP 2000
> TCP 32771
> TCP 32772
> TCP 2002
no idea.
> TCP 3306
not aware of any holes on 3306.
> but none to:
>
> UDP 2002
>
> and it clearly is clearly working through IP addresses in sequence
> because I have 4 IP addresses on that subnet and it tried them all. Is
> this slapper or something else?
This is someone port scanning looking for likely holes to come back and
bulk attack later. You get used to port scans after a while, reporting
them rarely gets action from the ISP :(
The logic from the scanners point of view is "find as many IPs with
these ports open and keep a nice db, when a new hole is announced get
the script and hit all those IPs last known live on that port as fast
and hard as possible"
Yes, they are b*tards who need to look up the word "ethical".
--
The Flying Hamster <hamster at korenwolf.net>
http://www.korenwolf.net/
If reality doesn't fit the theory, reality MUST be changed!!!
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list