RE: CodeRed Observations.

From: Rob McCauley (robmccau@RadOnc.Duke.EDU)
Date: 03/13/03

Next message: Harlan Carvey: "Re: [unisog] Re: Port 109 Mystery"

Previous message: Michał Rogala: "RE: CodeRed Observations."
In reply to: Rob Shein: "RE: CodeRed Observations."
Next in thread: larosa, vjay: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 13 Mar 2003 13:35:57 -0500 (EST)
From: Rob McCauley <robmccau@RadOnc.Duke.EDU>
To: Rob Shein <shoten@starpower.net>

On Thu, 13 Mar 2003, Rob Shein wrote:

> I'd be careful and make sure, if I were you. I don't think that the worm is
> stateless, as it wouldn't be able to spread if it just sent data over TCP
> without establishing the handshake first. When you just PSH without
> handshaking first, your data gets rejected.

A claim has been made that IE, IIS, and at least some flavors of Windows
don't work like that. http://grotto11.com/blog/?+1039831658. I don't
have time to verify the claim, but if it's true a worm spreading without
the expected TCP handshake might well be possible.

Rob

-- 
------------------------------------------------------------------------------
Rob McCauley
Radiation Oncology
Duke University Medical Center
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Harlan Carvey: "Re: [unisog] Re: Port 109 Mystery"

Previous message: Michał Rogala: "RE: CodeRed Observations."
In reply to: Rob Shein: "RE: CodeRed Observations."
Next in thread: larosa, vjay: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]