I just remembered reading that the virus opens a connection over port
3127(see footnote). I was wondering if anyone has considered creating =
rule, looking for this connection. So far I have seen rules looking =
emails and for the DOS attack that will occur against http://www.sco.com from =
1st to Feb 12th. But what about the remote access capabilities of the =
I looked up the port number at =
and found this:
ctx-bridge 3127/tcp CTX Bridge Port
ctx-bridge 3127/udp CTX Bridge Port
So I would imagine that snagging all packets over this port will =
many false positives, as this port is used for CTX Bridges. What those =
I don't have a clue ;) I don't have a test environment here to capture =
study the viruses activities, so I can look for specific packet =
being transferred over this port.
Any thoughts or ideas?
Main: (623)707-7600 ext 126
Don't forget to mark your calendar!
July 11 - 14 are the dates for
InfoSol's Business Intelligence Seminar (IBIS)
at Loews Ventana Canyon Resort in Tucson, Arizona!
I sent this earlier but I don't think it ever hit the list.
(Although it's kind of obsolete already as there is a new version of the
alert tcp $HOME_NET 3127 -> $EXTERNAL_NET any \
(msg: "Response from infected W32.Novarg.A@... host"; \
content: "|04 5B 00 00 00 00 00 00|"; dsize: 8;)
On Wed, 28 Jan 2004 CMartin@... wrote:
> So I would imagine that snagging all packets over this port will contain
> many false positives, as this port is used for CTX Bridges. What those are
> I don't have a clue ;) I don't have a test environment here to capture and
> study the viruses activities, so I can look for specific packet contents
> being transferred over this port.
Get latest updates about Open Source Projects, Conferences and News.