Yesterday we noticed some strange traffic from some internal machines
trying to contact Japan IP addresses on the port 54875 like 300 times a
second. We left the office without worrying too much and we came back this
morning to see that there was external Japan IP addresses which was
querying internal machines for the RPC vulnerability.

This kind of activity has now spread in various sites (worldwide) of our

Here is a log sample from one of our router:

tcp xxx.xxx.xxx.xxx:4364
tcp xxx.xxx.xxx.xxx:4365
tcp xxx.xxx.xxx.xxx:4366
tcp xxx.xxx.xxx.xxx:4368
tcp xxx.xxx.xxx.xxx:4369
tcp xxx.xxx.xxx.xxx:4370

This IP address resolves to whyme.geol.sci.hiroshima-u.ac.jp

Now, trying to connect to this ip address on the port 80 you get to the
Department of Earth and Planetary Systems Science Graduate School of
at Hiroshima University webpage ... trying to connect to on
the port 6667 it gets to an IRC server: irc.foonet.com. But the MOTD is
stating this:
*** Welcome to the ROXnet IRC Network
Also, *** There are 41 users and 864 invisible on 1 servers.
I did a /list and I get only two channels. On #R0S3s there are a couple of
bots that doesn't look like something legitimate.

That is kinda strange, isn't? Anyways, do any of you have an idea of what
is going on? Which virus is it?