RE: Router Worm?

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 11/20/03

  • Next message: Victor Jerlin: "SIRCD: Anyone can set umode +o(oper)."
    To: "'Jose Nazario'" <jose@monkey.org>, "'Jay D. Dyson'" <jdyson@treachery.net>
    Date: Thu, 20 Nov 2003 09:14:10 -0800
    
    

      I've never seen it do that, in the about 50 or so instances
    I've encountered. Does it only do it occasionally? Does it
    attack the same host against which 135/tcp failed, or some
    random third party?
      (Does it, perhaps, distinguish between 135/tcp "failed to
    connect" and 135/tcp "connected, but target was patched and
    so could not be infected"?)

    David Gillett

    > -----Original Message-----
    > From: Jose Nazario [mailto:jose@monkey.org]
    > Sent: November 19, 2003 17:06
    > To: Jay D. Dyson
    > Cc: Bugtraq
    > Subject: Re: Router Worm?
    >
    >
    > its welchia/nachi. when it can't connect via 135/tcp, it will
    > attempt an
    > exploit against a webdav server (see MS03-007).
    >
    > i've seen an uptick in this in the past couple of days, too,
    > visible on a
    > few httpd servers i track. and i, too, was caught off guard
    > until someone
    > pointed out it was nachi to me. digging into the tech details
    > showed that
    > i (and many of us) had been overlooking a secondary attack.
    >
    > ___________________________
    > jose nazario, ph.d. jose@monkey.org
    > http://monkey.org/~jose/
    >


  • Next message: Victor Jerlin: "SIRCD: Anyone can set umode +o(oper)."

    Relevant Pages

    • [NEWS] IGMP Denial of Service Vulnerability
      ... We consider different scenarios in which such an attack can be launched. ... Host H1 and H2 are connected to a router R using a hub. ... soliciting for membership reports from the hosts in the network it is ... now R doesn't receive any membership reports for the group ...
      (Securiteam)
    • Re: Target based IDS review and discussion in Information Security
      ... > 1) A URL attack is seen by the sensor affecting Windows IIS. ... > each and every step we took to investigate the attack (from IDS ... > impacted host to manually verify if the attack was successful or not. ... Automated forensics are useful and a nice step forward but if the ...
      (Focus-IDS)
    • The Art of Unspoofing
      ... stack allows anyone to send spoofed packets to a target host, ... the ability of its administrator to determine the origin of the attack. ... then can it inject the malicious packets. ... host of the attack or their nameserver. ...
      (Focus-IDS)
    • The Art of Unspoofing
      ... stack allows anyone to send spoofed packets to a target host, ... the ability of its administrator to determine the origin of the attack. ... then can it inject the malicious packets. ... host of the attack or their nameserver. ...
      (Bugtraq)
    • Re: MiM Simultaneous close attack
      ... Subject: MiM Simultaneous close attack ... So the packets(dst mac is gg:gg) will goto port3 correctly.(If the same mac presents in two ports,the packets ... >> 2 TCP packets per connection. ... >> to source host and destination host of an active ...
      (Vuln-Dev)