Hi,

Yesterday we noticed some strange traffic from some internal machines
trying to contact Japan IP addresses on the port 54875 like 300 times a
second. We left the office without worrying too much and we came back this
morning to see that there was external Japan IP addresses which was
querying internal machines for the RPC vulnerability.

This kind of activity has now spread in various sites (worldwide) of our
company.

Here is a log sample from one of our router:

tcp xxx.xxx.xxx.xxx:4364 10.136.11.218:4364 133.41.133.109:54875
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4365 10.136.11.218:4365 133.41.133.109:54875
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4366 10.136.11.218:4366 133.41.133.109:54875
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4368 10.136.11.218:4368 133.41.133.109:54875
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4369 10.136.11.218:4369 133.41.133.109:54875
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4370 10.136.11.218:4370 133.41.133.109:54875
133.41.133.109:54875

This IP address resolves to whyme.geol.sci.hiroshima-u.ac.jp

Now, trying to connect to this ip address on the port 80 you get to the
Department of Earth and Planetary Systems Science Graduate School of
Science
at Hiroshima University webpage ... trying to connect to 133.41.133.109 on
the port 6667 it gets to an IRC server: irc.foonet.com. But the MOTD is
stating this:
*** Welcome to the ROXnet IRC Network
Also, *** There are 41 users and 864 invisible on 1 servers.
I did a /list and I get only two channels. On #R0S3s there are a couple of
bots that doesn't look like something legitimate.


That is kinda strange, isn't? Anyways, do any of you have an idea of what
is going on? Which virus is it?


Thanks,

Roach4