There's a number of viruses/worms in the wild that are programmed to exploit various M$ vulnerabilities:
80 - IIS WebDAV (MS03-007)and any number of other IIS vulnerabilities
135 - DCOM RPC (MS03-026)
445 - RPC locator (MS03-001) and Workstation service (MS03-049)
139 - Unpassworded NetBIOS shares
I'm not sure about the other ports, I *think* 1025 has something to do with MS RPC as well, but don't quote me on that.
What you are probably seeing, at least in the cases involving the ports I listed above, is one of the many W32.Gaobot (Symantec)[1] variants.
this is correct. my organization has been infected with this
and it is a particular nasty little bugger. we may have been
'patient 0' in terms of sending copies of the virus to symantec
so they could write signatures for it. infected hosts flood
the network with a tremendous amount of data and port opening.
i at least manged to quarantine off all my vpn devices which
seemed to be the entry point.
Thank you for the input. The 'unique' feature of this infestation is that
affected hosts don't transmit a lot of data...however they do open up
thousands of flows in a very short time. Perhaps that's not unique but it
certainly is annoying.
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc. http://www.bblabs.com
hmm, honestly i can't vouch for the data rate personally.
a co-worker said the counters on the VPN connections were
grossly disproportionate for a short time sample.
bottom line, it is indeed annoying. i know my server
and desktop groups have been having a hell of a time
disinfecting hosts. i know part of this was that
symantec, at the time, said it may be a polymorphic
strain.
-r
On Sat, Apr 10, 2004 at 11:37:15AM -0700, Christopher J. Wolff said at one point in time:
One of the responses to this thread mentioned a 3COM switch. One of the
infected sites has a 3COM superstack 1100. I'm not a 3COM fan but these
switches have been up for years, literally. All it takes to make this
switch reboot is a flow from one infected host. I'm going to try to move
the web interface port away from 80. Thank you.
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc. http://www.bblabs.com