North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: W32/Sobig-F - Halflife correlation ???

  • From: Darren Smith
  • Date: Tue Aug 26 05:36:09 2003

Did anyone else see anything with regards to this thread?

Regards

Darren Smith

----- Original Message ----- 
From: "Darren Smith" <[email protected]>
To: "Robert Blayzor" <[email protected]>; "North American Network Operators Group"
<[email protected]>
Sent: Saturday, August 23, 2003 1:22 PM
Subject: Re: W32/Sobig-F - Halflife correlation ???


>
> Hi
>
> Just a quick look at my syslog file, where MOO is the name of my ACL.
>
> fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c
> 2383
>
> fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c
> 459
>
> fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c
> 210
>
> fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c
> 59
>
> As you can see most of them were on 27015, these logs were from just one of
> my transit interfaces.
>
> Best Regards
>
> Darren Smith
>
> ----- Original Message ----- 
> From: "Robert Blayzor" <[email protected]>
> To: "North American Network Operators Group" <[email protected]>
> Sent: Saturday, August 23, 2003 1:05 PM
> Subject: Re: W32/Sobig-F - Halflife correlation ???
>
>
> >
> > On 8/23/03 7:17 AM, "Darren Smith" <[email protected]> wrote:
> >
> > > They were trying to hit servers in multiple subnets, all on ports 270XX.
> >
> > I'm not sure on this.  Lots of gaming servers use the 270XX UDP range.
> > Quake3, HL, etc.
> >
> > It may be possible it's just probing for other HL servers running on
> > different ports.  A lot of these games also use the same gaming engine for
> > the network and graphics abilities, so it's possible HL may not be the
> only
> > "game server" in the mix, it may be any game that uses the HL engine.  I
> > know there are several out there, Counterstrike being one of them.
> >
> > So if it's not looking for a HL only exploit, I'd bet it's trying to get
> the
> > infected machines to link up and communicate via the network of gaming
> > servers.  This could be very bad because there could be virtually no way
> to
> > stop this other than taking down the "Game Spy" type networks so the
> > computers can't find each other.
> >
> > --
> > Robert Blayzor, BOFH
> > INOC, LLC
> > [email protected]
> > PGP: http://www.inoc.net/~dev/
> > Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9
> >
> > "Oh my God, Space Aliens!!  Don't eat me, I have a wife and kids!
> >                 Eat them!"  -- Homer J. Simpson
> >
> >
> >
>
>