[nsp-sec] Morto worm C&C (RDP Scanner)
Joel Rosenblatt
joel at columbia.edu
Tue Aug 30 15:56:09 EDT 2011
Hi,
Looking back further, it appears that if you have a machine talking to
128.59.163.178 on port 10119 (UDP) anytime after July 30 2011 18:00 -0500, you can assume that it is infected
This is an interesting bot .. the scanning always lasts for a little less than 1 hour, then it goes to sleep for a random amount of time, sometimes up to 10
days
If I find some free time, I'll go through our netflow data as far back as I can and see if I can pull some more IPs from it.
Thanks,
Joel
--On Tuesday, August 30, 2011 2:29 PM -0400 Joel Rosenblatt <joel at columbia.edu> wrote:
> Hi,
>
> I found what looks like a Morto worm C&C on our network on the 25th - it was taken down, but the bots are still reporting in - see attached file for IPs
>
> Start time for IP's found 2011/08/26 14:09:29 -0500
> End time 2011/08/29 01:43:28 -0500
>
> Here are the ASNs found:
>
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
More information about the nsp-security
mailing list