[Snort-users] Suspicious DNS query, et al.

Meij Ewout EC CH ewout.meij at ...680...
Wed Apr 4 05:00:36 EDT 2001


[...]
> Ports attacked have been 53 ( DNS ), 111 ( rpcbind ), 515 ( line
> printer ), 21 ( FTP ), and 3879 ( ??? ).  The source machines appear
> to have been located in Korea, China, Japan, the Phillippines, Hong
> Kong, and Australia.  In this country, Arizona State University
> appears to have been a source.

Smells like Adore Worm, see sans:

http://www.sans.org/y2k/adore.htm




More information about the Snort-users mailing list