We're seeing it too and believe it is part of the Gaobot/Agobot family.
We're getting concentrated scans from multiple hosts in the same Class "B"
subnet we're in.
On web servers we're seeing log entries such as the following, which isn't
new to the Gaobot/Agobot family:
ex041226.log:2004-12-26 05:07:10 12.33.103.174 - [snip] 80 POST
/_vti_bin/_vti_aut/fp30reg.dll - 500 -
That's a frontpage dll from a vulnerability dating back to 11/03.
With an IDS we get alerts for both 'WebDAV Search Access' and
'Chunked-Encoding transfer attempts.'
Some good links for further information are:
http://lists.sans.org/pipermail/list/2004-December/087846.html
http://www.lurhq.com/phatbot.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.
html
-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora@phra.com]
Sent: Thursday, December 30, 2004 2:45 PM
To: 'BahdKo'; incidents@securityfocus.com
Subject: RE: Increase seen in port probes since Tuesday afternoon
BahdKo wrote Thursday, December 30, 2004 04:23
Since Tuesday afternoon EST I've seen a dramatic increase in
the number of machines probing my network on ports 2745,
1025, 3127, 6129, and usually 80. Each probe involves the
machine sending three packets to each port.
Yes from time to time. The port pattern is typical of many
botnets, many of
which will focus multiple drones against a particular IP
space for a while.
Packet captures might reveal whether there is anything new or
interesting
about any of the individual probes. The three packets would
probably be
standard Syn retries. Again a packet capture would show
whether or not this
is the case. If a destination device is listening on any of
those ports, a
packet capture might also give an indication about whether
there is some new
payload.
