Port 2967

Indeed. Now, would you, "dick", please stay quiet? kthxbye

Mine are coming from a site in the U.K.:

Checking IP: 81.29.70.36... Name:

I've blacklisted the port in Shorewall, so hits don't clutter the log.

Jim Ford

I think this is a new variant of W32.IRCBOT

Any one killed it yet?

Jim Ford wrote:

This is an exploit for a recently patched vulnerability in Symantec SSC Agent and its variants, as has been extensively discussed. There are various malware generations trying to exploit it, not just your generic W32.IRCBOT.

Killed? How's that supposed to work? The Symantec stuff is running with SYSTEM privileges, thus a successful exploit means that the entire system was compromised. There's no way to recover from such a scenario without a complete safe boot-strapping process, which usually means to flatten and rebuild the entire system (or having a recent backup, having checksums or a well-known safe state for determining the modification).

People, I just want to say, you know, can we all get along?