Re: is this the start of something naughty?
From: Jean-Luc (Jean-Luc_at_Cavey.org)
Date: 08/18/03
- Previous message: Dan Bartley: "RE: Microsoft 'extinguishes' windowsupdate.com"
- In reply to: Charles Blackburn: "is this the start of something naughty?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Charles Blackburn" <charlesb@summerfield-technology.co.uk>, <incidents@securityfocus.com> Date: Mon, 18 Aug 2003 20:49:45 +0200
Have a look here : http://www.sophos.com/virusinfo/analyses/w32nachia.html
and there : http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
Hope this helps
Jean-Luc Cavey
65, boulevard Brune
75014 Paris, France
+33 (0) 1 45 43 45 62
+33 (0) 6 15 93 77 96
E-Mail : Jean-Luc@Cavey.org
---- Original Message ----
From: "Charles Blackburn" <charlesb@summerfield-technology.co.uk>
To: <incidents@securityfocus.com>
Sent: Monday, August 18, 2003 12:24 PM
Subject: is this the start of something naughty?
> Hi
>
> I received approximately 100 of these within the space of 30 minutes
> or so from numerous different IP addresses and on my /29 block (2/3
> machines and also the broadcast/and network addresses). Now I've had
> a few shall we say erm, "funnies" going on on this one machine lately
> with problems when it's rebooted which seem to be fixed by a kernel
> rebuild, but that could be a hardware problem. however it could be
> more indicative of an attack maybe even a successful one.
>
> Aug 18 10:46:14 thunder snort: [1:483:2] ICMP PING CyberKit 2.2
> Windows [Classification: Misc activity] [Priority: 3]: {ICMP}
> 80.253.133.136 -> xx.xx.xx.120/123/125/127
>
> 120/127 are the end of my 8 IP block, 125 is the machine with the
> funnies, and 123 is a windows 98 vmware session that I've only just
> finished installing windows in.
>
> it's always those same IP's and never any of the others.
>
> my question is, what can i do to see whether my box has been
> compromised (a rebuild's not much a problem as i was going to do it
> anyway :P) and if could any of you "1337" (i use that term loosely)
> help me.
>
> regards
> charles
>
> ---------------------------------------------------------------------------
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
> - Precisely Define and Implement Network Security and Performance
> Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live
> Demo
> Visit us at:
> http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> ----------------------------------------------------------------------------
================================
La presence de ce texte prouve que ce message
electronique a ete verifie par un logiciel anti-virus
à jour au moment de l'envoi.
The presence of this text proves that this e-mail
has been verified by an up-to-date anti-virus
software at the time of the sending.
================================
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
- Previous message: Dan Bartley: "RE: Microsoft 'extinguishes' windowsupdate.com"
- In reply to: Charles Blackburn: "is this the start of something naughty?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
