Korgo infections at 50%

Discussion in 'malware problems & news' started by Link Logger, Jun 11, 2004.

Thread Status:
Not open for further replies.
  1. Link Logger

    Link Logger Security Expert

    Joined:
    Mar 13, 2004
    Posts:
    3
    I thought I'd return the favour of the 2050 systems which scanned my port 445 on June 10th (local date/time) and scan them back looking for worm signatures in open ports. Of course since the scan was performed 1 am on June 11 so some of the systems scanned are not the same system that scanned me etc, but it is just an experiment and I'll live with the various imperfections in order to get an idea as to what is out there.

    Of the 2050 systems I found 605 systems (which responded to an ICMP ping). Here is a rough break down of the interesting open ports I found (I scanned for 36 TCP ports and 8 UDP ports).

    396 - TCP Port 1025
    367 - TCP Port 445
    366 - TCP Port 5000
    299 - TCP Port 113 (Korgo)
    279 - TCP Port 3067 (Korgo)
    271 - TCP Port 123
    55 - TCP Port 22
    40 - TCP Port 80
    18 - TCP Port 21
    16 - TCP Port 25
    15 - TCP Port 1023 (Sasser.G)
    10 - TCP Port 110
    9 - TCP Port 5554 (Sasser)
    9 - TCP Port 1022 (Sasser.G)
    5 - TCP Port 9996 (Sasser)
    5 - TCP Port 559
    3 - TCP Port 4444 (MSBlast)
    3 - TCP Port 1433
    2 - TCP Port 8967 (Dabber)
    1 - TCP Port 65506
    1 - TCP Port 3127 - oh how the might have fallen

    So roughly half of the systems I scanned showed a Korgo port signature (113/3067).

    One system was totally amazing for open ports (please tell me this is a honey pot).
    29 open TCP ports: 22, 25, 80, 110, 113, 119, 135, 139, 420, 445, 559, 1022, 1023, 1025, 1433, 2041, 2745, 3067, 3127, 4444, 5000, 5300, 6129, 8967, 9898, 9996, 9999, 28856, 65506
    1 open UDP ports: 137

    Blake
    http://www.LinkLogger.com
     
Loading...
Thread Status:
Not open for further replies.