Strange traffic - Outgoing TCP 3127/3198 (Not mydoom) New worm?
Everyone, over the past 4 days I have been observing very random outgoing
connection requests to a single external machine on the inet over ports 3127
and 3198.
The three machines in question are running Windows 2000 Server with all
security fixes and current Symantec anti-virus definitions. The following
characteristics are being observed:
1. Outgoing connections started on Tuesday morning. Approximately 3 probes
an hour.
2. Each machine is trying to reach the same IP address on the inet. (IP
belongs to a private company)
3. Probes slowed down on Tuesday afternoon, then stopped altogether. On
Wednesday afternoon I observed a couple of more probes then nothing.
I have scanned these machines with AV software, no viruses detected, and
because the ports in question are normally associated with
Novarg/mydoom/doomjuice I ran the removal utilities from Microsoft and the
AV vendor which detected nothing either.
I visited the machines and ran FPORT, PSlist and a couple of other tools and
detected no unusual processes. I also scanned each of the machines with
Nmap and Nessus and detected nothing out of the ordinary. (no open ports
other then MS stuff etc) I have blocked all outgoing access to the IP in
question. (the ports were already closed incoming/outgoing) I have also
placed a sniffer in front of these machines configured to capture traffic
going to the suspect IP address, so far nothing.
Does anyone have any idea whether there is an unknown virus/worm using TCP
3127/3198? I will be rebuilding these machines shortly but I just wanted to
get some feedback or see whether anyone else was experiencing similiar
problems.
Thanks in advance for any replies,
Steve
_________________________________________________________________
MSN Premium includes powerful parental controls and get 2 months FREE*
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines