North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: W32/Sobig-F - Halflife correlation ???
Hi Just a quick look at my syslog file, where MOO is the name of my ACL. fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c 2383 fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c 459 fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c 210 fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c 59 As you can see most of them were on 27015, these logs were from just one of my transit interfaces. Best Regards Darren Smith ----- Original Message ----- From: "Robert Blayzor" <[email protected]> To: "North American Network Operators Group" <[email protected]> Sent: Saturday, August 23, 2003 1:05 PM Subject: Re: W32/Sobig-F - Halflife correlation ??? > > On 8/23/03 7:17 AM, "Darren Smith" <[email protected]> wrote: > > > They were trying to hit servers in multiple subnets, all on ports 270XX. > > I'm not sure on this. Lots of gaming servers use the 270XX UDP range. > Quake3, HL, etc. > > It may be possible it's just probing for other HL servers running on > different ports. A lot of these games also use the same gaming engine for > the network and graphics abilities, so it's possible HL may not be the only > "game server" in the mix, it may be any game that uses the HL engine. I > know there are several out there, Counterstrike being one of them. > > So if it's not looking for a HL only exploit, I'd bet it's trying to get the > infected machines to link up and communicate via the network of gaming > servers. This could be very bad because there could be virtually no way to > stop this other than taking down the "Game Spy" type networks so the > computers can't find each other. > > -- > Robert Blayzor, BOFH > INOC, LLC > [email protected] > PGP: http://www.inoc.net/~dev/ > Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9 > > "Oh my God, Space Aliens!! Don't eat me, I have a wife and kids! > Eat them!" -- Homer J. Simpson > > >
|