North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: W32/Sobig-F - Halflife correlation ???
Did anyone else see anything with regards to this thread? Regards Darren Smith ----- Original Message ----- From: "Darren Smith" <[email protected]> To: "Robert Blayzor" <[email protected]>; "North American Network Operators Group" <[email protected]> Sent: Saturday, August 23, 2003 1:22 PM Subject: Re: W32/Sobig-F - Halflife correlation ??? > > Hi > > Just a quick look at my syslog file, where MOO is the name of my ACL. > > fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c > 2383 > > fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c > 459 > > fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c > 210 > > fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c > 59 > > As you can see most of them were on 27015, these logs were from just one of > my transit interfaces. > > Best Regards > > Darren Smith > > ----- Original Message ----- > From: "Robert Blayzor" <[email protected]> > To: "North American Network Operators Group" <[email protected]> > Sent: Saturday, August 23, 2003 1:05 PM > Subject: Re: W32/Sobig-F - Halflife correlation ??? > > > > > > On 8/23/03 7:17 AM, "Darren Smith" <[email protected]> wrote: > > > > > They were trying to hit servers in multiple subnets, all on ports 270XX. > > > > I'm not sure on this. Lots of gaming servers use the 270XX UDP range. > > Quake3, HL, etc. > > > > It may be possible it's just probing for other HL servers running on > > different ports. A lot of these games also use the same gaming engine for > > the network and graphics abilities, so it's possible HL may not be the > only > > "game server" in the mix, it may be any game that uses the HL engine. I > > know there are several out there, Counterstrike being one of them. > > > > So if it's not looking for a HL only exploit, I'd bet it's trying to get > the > > infected machines to link up and communicate via the network of gaming > > servers. This could be very bad because there could be virtually no way > to > > stop this other than taking down the "Game Spy" type networks so the > > computers can't find each other. > > > > -- > > Robert Blayzor, BOFH > > INOC, LLC > > [email protected] > > PGP: http://www.inoc.net/~dev/ > > Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9 > > > > "Oh my God, Space Aliens!! Don't eat me, I have a wife and kids! > > Eat them!" -- Homer J. Simpson > > > > > > > >
|