New botnet on the block? Keep an eye on port 1720
Correspondents inform me that they've observed customer machines infected with viruses that are running services on ports 1720 and 1863. Currently, there's no traffic on those ports, but it's possible that they form part of a new botnet.
Oddly enough, it's been seen on Fedora Linux as well as windows. It's pretty rare for a virus to run under Linux, so perhaps this is video conferencing software idly waiting for an incoming connection.
I'll post more details when I have them, but it's something to keep an eye on. If anybody has any more information, please post a comment.
UPDATE: Correspondent has assured me that this isn't videoconferencing software, and that experienced techies are looking into it. Whatever it is, it's spreading rapidly.
Sysadmins should be prepared to block ports 1720 and 1863 if things start happening.
More information as it becomes available.
Oddly enough, it's been seen on Fedora Linux as well as windows. It's pretty rare for a virus to run under Linux, so perhaps this is video conferencing software idly waiting for an incoming connection.
I'll post more details when I have them, but it's something to keep an eye on. If anybody has any more information, please post a comment.
UPDATE: Correspondent has assured me that this isn't videoconferencing software, and that experienced techies are looking into it. Whatever it is, it's spreading rapidly.
Sysadmins should be prepared to block ports 1720 and 1863 if things start happening.
More information as it becomes available.
Labels: security
5:44 PM |
permalink
4 Comments:
Thanks for the heads up on this botnet, it has come at an interesting time for me in my research of compromised machines. Keep up the good work on this blog. :)
http://portforward.com/cports.htm
Says that 1720 is "CUseeMe-CUworld".
http://www.imfirewall.com/en/protocol_list.htm
has listings for both of those ports, and says that the iMesh P2p file share uses 1863 as its default login.
Yes, 1720 is the H323 (video conferencing) port, which is related to CuCme. I didn't know that 1863 was for file sharing.
The chatter on this is that the ports have been detected as open on systems with clueful users who swear they're not running video conferencing. Supposedly you can connect to the 1720 port and issue commands, but the details are sketchy.
Yes it must be video conferencing. I would believe it when it only occured on windows. But on linux too? That would be very very very rare :)
Post a Comment
<< Home