Keep an eye on all port 1080 traffic which is now linked to Vesser/W32.HLLW.Deadhat activity , also port 139 which is now on the increase with a new menace named DoomJuice which is a Backdoor takeing advantage of the Doom virus as of late.
Finally look into port 1243 which is also on the up, not the SubSeven but the Backdoor ''G'' trojan on the same port .... use Snort or some packet monitor if ya want to read the signitures of these pains; if ya can find the IP's and mention them here and PM me, I have a sexy list coming along nicely

So its

port 1080
port 139
port 1243

to monitor more in the next few days or so.

cya

thanks for the warning , but holy sht check out this port attack graph of the mydoom virus still going strong:

http://isc.sans.org/port_details.html?port=3127



http://isc.sans.org/top10.html

this is just from the last hour:

217.228.156.162 TCP(3127)
81.65.128.37 TCP(3127)
80.11.122.150 TCP(3127)
218.59.30.84 TCP(3127)
150.254.194.196 TCP(3127)
218.167.174.21 TCP(3127)
61.147.66.205 TCP(3127)
61.238.165.54 TCP(3127)
219.233.118.12 TCP(3127)
80.26.95.135 TCP(3127)

Yes I use that site alot via DShield.
I dont agree with their '''''3128- 3199''''' port use for MyDoom, I only seen it going from 3127 to 3138.

Also updated my trojan list, its in PG format and DIEING to be added to the BLM lol, I also am getting hit more and more by DoomJuice on port 139 which is a backdor for MyDoom, this virus is the WORST one I ever seen, theirs so many ass-bandits attached to it, the makers really had it planned.

Plus I am starting to get those shitty emails now, with FWD in the subject line, yes its HERE and its only just started.

My advice is BLOCK the ports it uses and monitor ALL traffic to them ports anyway in case, no firewalll is air-tight.

Igf ya get any IP's PM me them.

I appreciate what you men is doing but blocking these IP addresses is pretty useless especially if they're dynamic.
If we knew for sure they were fixed then great!

very true Guru , thats why i usually keep the dynamic ips to myself , but i dont think theres any harm in sharing them anyway around here, just between us folk.


lol , @ telstra made it into D-shields list , and they are the national telecommunications company for australia, i bet theres a few trojans in there.

144.132.8.0 144.132.8.255 24 65527 Telstra (NET-TELECOMAU2) AU mboschma@TELSTRA.COM.AU

138.130.228.0 138.130.228.255 24 64902 Telstra Internet AU abuse@telstra.net

Yes spot on GuruGuru I got carried away with the excitement LOL , but like Moore says no harm us lot moaning about it here I still gunna block it LOL cos am a paranoid trat.
I suppose we could get our heads together sometime and lookthru the IPs we find with regards to trojans and worms, virus etc and block whole subnets and ranghes out that are a menace and seem to be spreading the shit around, that would hep in the Dynamic IP part, just block the whole lot that the IPs reside but I would only do that if it was a utter shit hole.

Anyways I WILL be looking thru my WHOLE list this weekend and seeing for patterns I shall PM Moore with the findings and we can act upon this.

cyaz

yea, thats the thing about blocking them. might be more effective to just generate a form e-mail to send to each addresses ISP, and attach your logs as evidence that they have customers infected.

Hell, back when i used sub7.....lol...I went "port scanning" for 1 night, the next morning, the acct was "deactivated" and when my stepdad called Earthlink they basically told him he was infected with a trojan (WHICH HE WASNT lol).

e-mail to send to each addresses ISP, and attach your logs as evidence that they have customers infected.

----

Is an idea but theirs SO MANY, I have a day job LOL, plus some are probably assholes upto no good anyway.
I submit ALL my logs to DShield so they do all the ISP contacting if its needed, i.e. the attacker bad enough.
I am gunna just block them for now but I agree summut must be done about getting them sorted and cleaned cos some Subnets and WHOLE damn ranges are infected, its not on at all .... my own ISP NTL is getting bad infestations on certain subnets includeing the subnet I am on, this is a problem thats hard to solve as we have jobs of our own and cant be doing this 24/7 plus the other groups like DShiled only target the HUGE attackers.

So Like I say, for know I will block them all what I find and soon be looking for patterns in ranges/subnets and if one is found the subnets/ranges shall be blocked.