Re: Worm on 445/tcp?
From: Stephen Friedl (steve@unixwiz.net)
Date: 12/18/02
- Previous message: Ryan Yagatich: "Re: Worm on 445/tcp?"
- Maybe in reply to: Scott A.McIntyre: "Worm on 445/tcp?"
- Next in thread: Kyle Lai: "Re: Worm on 445/tcp?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 Dec 2002 17:46:55 -0800 From: Stephen Friedl <steve@unixwiz.net> To: ryany@pantek.com
> my second octect is 144, above the 127 rule. but, unless you are reading
> backwards (and the second being the third and the fourth being the first)
> then the 216 is still above the 127 rule... Then again, i may have missed
> part of the posts and spt could be originating from 445 as well, which in
> that case this could be just regular network rejects as usual.
Your logs were almost certainly not from this worm: the code is quite clear
that the second and fourth octets (1.*2*.3.*4*) won't be above 127, and
I do not believe this worm was even around back on the 9th - myNetWatchman
first saw this activity on the 14th.
Looks like yer usual internet riff-raff to me :-)
Steve
---
Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561
www.unixwiz.net | I speak for me only | KA8CMY | steve@unixwiz.net
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: horape@tinuviel.compendium.net.ar: "abuse of open transparent proxies"
- Previous message: Ryan Yagatich: "Re: Worm on 445/tcp?"
- Maybe in reply to: Scott A.McIntyre: "Worm on 445/tcp?"
- Next in thread: Kyle Lai: "Re: Worm on 445/tcp?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
