Event ID - 4387

Port No4387
Service NameGaobot Redirect Commands
RFC Doc0
ProtocolTCP
DescriptionThis event indicates that a host has been infected with a Phatbot/Gaobot/Agobot worm, and has joined a bot network on an IRC channel while listening for bot-specific commands that are embedded in normal IRC conversation.
Reference LinkPort Number:4387 Service Name:Gaobot Redirect Commands Port:TCP
AttackAccording to Symantec

Resolution:
It has been observed that the variants use one of the following vulnerabilities to propagate. It is essential to remediate these vulnerabilities to disable future infections.
1) The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
2) The WebDav vulnerability (described in Microsoft Security Bulletin MS03- 007) using TCP port 80.
3) The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
4) The Microsoft Messenger service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-043).
5) The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 machines using this exploit.
6) The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
7) The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
8) The LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) using TCP ports 139 and 445.
9) The worm may also exploit the backdoors of Beagle and Mydoom families of the worm.
10) Some variants of the worm exploit the Dameware Remote Control Server vulnerability described in CAN-2003-1030.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh