The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Tuesday, March 27, 2007

New botnet on the block? Keep an eye on port 1720

Correspondents inform me that they've observed customer machines infected with viruses that are running services on ports 1720 and 1863. Currently, there's no traffic on those ports, but it's possible that they form part of a new botnet.

Oddly enough, it's been seen on Fedora Linux as well as windows. It's pretty rare for a virus to run under Linux, so perhaps this is video conferencing software idly waiting for an incoming connection.

I'll post more details when I have them, but it's something to keep an eye on. If anybody has any more information, please post a comment.

UPDATE: Correspondent has assured me that this isn't videoconferencing software, and that experienced techies are looking into it. Whatever it is, it's spreading rapidly.

Sysadmins should be prepared to block ports 1720 and 1863 if things start happening.

More information as it becomes available.

Labels:

4 Comments:

Blogger Map said...

Thanks for the heads up on this botnet, it has come at an interesting time for me in my research of compromised machines. Keep up the good work on this blog. :)

5:01 AM  
Blogger Unknown said...

http://portforward.com/cports.htm

Says that 1720 is "CUseeMe-CUworld".

http://www.imfirewall.com/en/protocol_list.htm

has listings for both of those ports, and says that the iMesh P2p file share uses 1863 as its default login.

8:43 AM  
Blogger Spam Diaries said...

Yes, 1720 is the H323 (video conferencing) port, which is related to CuCme. I didn't know that 1863 was for file sharing.

The chatter on this is that the ports have been detected as open on systems with clueful users who swear they're not running video conferencing. Supposedly you can connect to the 1720 port and issue commands, but the details are sketchy.

3:13 PM  
Anonymous Anonymous said...

Yes it must be video conferencing. I would believe it when it only occured on windows. But on linux too? That would be very very very rare :)

12:56 AM  

Post a Comment

<< Home