Increase in TCP 5554 activity
Looks like there is an increase in TCP 5554 activity. This is due to
public exploits against the FTP daemon installed by the Sasser worm and
may be related to the "Dabber" worm covered in yesterday's diary entry.
Basically, this is malware attacking malware. If you aren't infected
with the Sasser worm, then you won't be infected with this.
In addition to the "Dabber" automated worm, we have reports that the
exploit is being manually executed against vulnerable hosts, which is
somewhat rare in these days of automated exploits and bot networks.
Fragmented IP traffic towards port 16191
We have received a report of fragmented IP traffic with source and
destination ports both set to 16191. At this point, we don't have
many details but would like to see if anybody else is seeing similar
Please patch your Symantec/Norton firewall products
As discussed in the diaries for the last two days, there are several
vulnerabilities in Symantec/Norton firewall products. Exploit code is
currently being developed. If you run these products (even behind
other firewalls), you are highly urged to apply the vendor patches.
You may recall the worm "Witty" attacked a similar flaw in ISS products
that caused major problems for people running those products.
Download the patches here:
Remember the Witty worm:
May 15th 2004
May 15th 2004
1 decade ago