AW: UDP port 4000 traffic: likely a new worm

Florian Frotzler florian.frotzler at gmx.at
Mon Mar 22 19:02:47 UTC 2004


I can acknowledge that we see the worm also in Europe/Austria. Today we
had a customer with a Black Ice firewall flooding us with random
4000/udp traffic before we shut him down. 


Kind Regards,

-- 
DI (FH) Florian Frotzler 
IT Planning 

e W ) a ) v ) e 
eWave Telekommunikation GmbH 
A-1210 Wien, Ignaz-Koeck-Strasse 1 


> Von: George Bakos
> 
> The number of immediately vulnerable hosts was rapidly 
> depleted by the worm, given the launch was AFTER most 
> business had shut down for the weekend. I'll venture that 
> Black Ice, a commercial security product, is deployed much 
> more widely on the corporate laptop than the home machine.
> 
> I expect to see more than a slight bump in those numbers come 
> Monday AM.
> 
> g
> 
> On Sat, 20 Mar 2004 13:50:30 -0800
> Josh Richards <jrichard at digitalwest.net> wrote:
> 
> > The good news is that "witty" appears to not be a very witty 
> > propagator. Our flow data shows attempts to connect to 4000/udp on 
> > hosts in our network having a downward trend over the last 
> few hours:
> > 
> > Time   Unique Source IPs
> > 08:00	350 
> > 09:00	332
> > 10:00	297
> > 11:00	298
> > 12:00	265 
> 
> 
> -- 
> George Bakos
> Institute for Security Technology Studies
> Dartmouth College
> gbakos at ists.dartmouth.edu
> 603.646.0665 -voice
> 603.646.0666 -fax
> 
> pub  1024D/081ECB85 1999-04-09 George Bakos 
> <gbakos at ists.dartmouth.edu>
>      Key fingerprint = D646 8F91 F795 27EC FF8B  8C95 B102 
> 9EB2 081E CB85
> 
> 




More information about the NANOG mailing list