Re: [Full-Disclosure] Sasser skips 10.x.x.x Why?

From: Rodrigo Barbosa (rodrigob_at_suespammers.org)
Date: 05/03/04

  • Next message: dk: "Re: [Full-Disclosure] A rather newbie question" 
    To: full-disclosure@lists.netsys.com
Date: Mon, 3 May 2004 18:52:57 -0300

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I have several cases of machines on 172.18.X.X networks infecting
    each other.

    On Mon, May 03, 2004 at 12:44:31PM -0700, Eric Chien wrote:
    > Actually, it is all variants (.A - .D). And more
    > specifically, it iterates through all the host IP
    > addresses looking for an address that does not match:
    > 127.0.0.1
    > 10.
    > 172.16 - 172.31 (inclusive)
    > 192.168.
    > 169.254
    >
    > Then, using this address it creates a random address
    > (sometimes changing all octets, sometimes just the
    > last three, and sometimes just the last two).
    >
    > ...Eric
    >
    > --- Shawn Cox <shawn.cox@pcca.com> wrote:
    > > It appears that only .D skips private ranges. I
    > > incorrectly assumed that
    > > the original would do the same.
    > >
    > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.D&VSect=T
    > >
    > > --Shawn
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    - --
    Rodrigo Barbosa <rodrigob@suespammers.org>
    "Quid quid Latine dictum sit, altum viditur"
    "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (GNU/Linux)

    iD8DBQFAlr84pdyWzQ5b5ckRArQnAKCF+8d9s9yRKige5HM4yHlzs+gFEACgjylU
    yCiXhCxRPNpFFVkU2/QnCHI=
    =e9Ce
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: dk: "Re: [Full-Disclosure] A rather newbie question"