24-06-04

harvesting zombies for the next attack

Over the past couple of days there has been a large rise in port 9898 activity reported http://www.dshield.org/port_report.php?port=9898 . The Dabber worm (which rides in on the coattails of Sasser) opens a listener on port 9898, which is then probed by the attacking system to confirm its success. We're unaware of any "counter-counter" worm that is looking for Dabber backdoors, but I have seen a significant rise in scanning for it, as well. My honeypotted networks have seen several sequential SYN "half-open" scans which return a RST packet whenever the SYN is acknowledged.  (Internet Storm Center)
 
Be sure to have your port 9898 blocked in your firewall

13:42 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.