[Snort-users] redworm sanity check
JHally at ...5637...
Sat Jun 8 15:02:03 EDT 2002
I'm looking over some detects I pulled down from the net, and I see a lot of
activity bewteen hosts using a source and destination port of 65535. I know
that code red/adore worm opened a back door on this port, but I had thought
that it only listened on this port, and not communicated with other infected
hosts on the same port. does that make sense? I've been looking at these
traces a while, and starting to burn out, I just wanted to get a sanity
04/01-08:10:28.570578 [**] High port 65535 udp - possible Red Worm - traffic
[**] xxx.xxx.6.49:65535 -> xxx.xxx.152.181:65535
thanks in advance.
More information about the Snort-users