[Full-Disclosure] 100 Worms per Second, Courtesy of Telstra

From: Karl A. Krueger (kkrueger@outbox.whoi.edu)
Date: 01/26/03

  • Next message: Simon Richter: "Re: [Full-Disclosure] Sapphire worm POC that fulldisclosure policies hurt everyone"
    To: full-disclosure@lists.netsys.com
    From: "Karl A. Krueger" <kkrueger@outbox.whoi.edu>
    Date: Sun, 26 Jan 2003 13:50:40 -0500
    

    Pardon my delurk, but this is very strange worm behavior. We are seeing
    100 SQL Worms per second from a single IP address on Telstra. This is
    about 10k times the level of activity we are seeing from any other
    address.

    Anyone here either know anyone at Telstra who can shut this off, or
    perhaps at least some explanation of why this worm instance would set
    aside its usual randomish behavior and flood us like this?

    This is 1/10th of a second of tcpdump, from outside our firewall:

    13:34:01.154816 203.50.0.215.2184 > xxx.yyy.46.59.1434: udp 376
    13:34:01.160223 203.50.0.215.2184 > xxx.yyy.99.76.1434: udp 376
    13:34:01.170387 203.50.0.215.2184 > xxx.yyy.205.52.1434: udp 376
    13:34:01.179743 203.50.0.215.2184 > xxx.yyy.55.37.1434: udp 376
    13:34:01.184178 203.50.0.215.2184 > xxx.yyy.108.128.1434: udp 376
    13:34:01.198594 203.50.0.215.2184 > xxx.yyy.11.30.1434: udp 376
    13:34:01.203094 203.50.0.215.2184 > xxx.yyy.64.129.1434: udp 376
    13:34:01.207258 203.50.0.215.2184 > xxx.yyy.117.38.1434: udp 376
    13:34:01.221870 203.50.0.215.2184 > xxx.yyy.20.162.1434: udp 376
    13:34:01.245105 203.50.0.215.2184 > xxx.yyy.29.152.1434: udp 376
    13:34:01.250175 203.50.0.215.2184 > xxx.yyy.82.143.1434: udp 376

    -- 
    Karl A. Krueger <kkrueger@whoi.edu>
    Network Security -- Linux/Unix Systems Support -- Etc.
    Woods Hole Oceanographic Institution
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    


    Relevant Pages