Evo
3rd Jul 2004, 08:16
Over the last couple of days, port 9898 on my firewall has started to take a hammering (nearly 500 hits last night). A bit of searching shows I'm not alone, with comments like
Over the past couple of days there has been a large rise in port 9898 activity reported http://www.dshield.org/port_report.php?port=9898 . The Dabber worm (which rides in on the coattails of Sasser) opens a listener on port 9898, which is then probed by the attacking system to confirm its success. We're unaware of any "counter-counter" worm that is looking for Dabber backdoors, but I have seen a significant rise in scanning for it, as well.
Any more info? I've seen this sort of thing before (e.g. a large number of 5554 scans with the Sasser worm), so I presume something is about to hit?
Probably a good time to make sure everything is up to date folks :ok:
Over the past couple of days there has been a large rise in port 9898 activity reported http://www.dshield.org/port_report.php?port=9898 . The Dabber worm (which rides in on the coattails of Sasser) opens a listener on port 9898, which is then probed by the attacking system to confirm its success. We're unaware of any "counter-counter" worm that is looking for Dabber backdoors, but I have seen a significant rise in scanning for it, as well.
Any more info? I've seen this sort of thing before (e.g. a large number of 5554 scans with the Sasser worm), so I presume something is about to hit?
Probably a good time to make sure everything is up to date folks :ok: