Re: is this the start of something naughty?

From: Jean-Luc (Jean-Luc_at_Cavey.org)
Date: 08/18/03

  • Next message: Dan Hanson: "Re: Increasing ICMP Echo Requests"
    To: "Charles Blackburn" <charlesb@summerfield-technology.co.uk>, <incidents@securityfocus.com>
    Date: Mon, 18 Aug 2003 20:49:45 +0200
    
    

    Have a look here : http://www.sophos.com/virusinfo/analyses/w32nachia.html

    and there : http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

    Hope this helps

    Jean-Luc Cavey
    65, boulevard Brune
    75014 Paris, France
    +33 (0) 1 45 43 45 62
    +33 (0) 6 15 93 77 96
    E-Mail : Jean-Luc@Cavey.org

    ---- Original Message ----
    From: "Charles Blackburn" <charlesb@summerfield-technology.co.uk>
    To: <incidents@securityfocus.com>
    Sent: Monday, August 18, 2003 12:24 PM
    Subject: is this the start of something naughty?

    > Hi
    >
    > I received approximately 100 of these within the space of 30 minutes
    > or so from numerous different IP addresses and on my /29 block (2/3
    > machines and also the broadcast/and network addresses). Now I've had
    > a few shall we say erm, "funnies" going on on this one machine lately
    > with problems when it's rebooted which seem to be fixed by a kernel
    > rebuild, but that could be a hardware problem. however it could be
    > more indicative of an attack maybe even a successful one.
    >
    > Aug 18 10:46:14 thunder snort: [1:483:2] ICMP PING CyberKit 2.2
    > Windows [Classification: Misc activity] [Priority: 3]: {ICMP}
    > 80.253.133.136 -> xx.xx.xx.120/123/125/127
    >
    > 120/127 are the end of my 8 IP block, 125 is the machine with the
    > funnies, and 123 is a windows 98 vmware session that I've only just
    > finished installing windows in.
    >
    > it's always those same IP's and never any of the others.
    >
    > my question is, what can i do to see whether my box has been
    > compromised (a rebuild's not much a problem as i was going to do it
    > anyway :P) and if could any of you "1337" (i use that term loosely)
    > help me.
    >
    > regards
    > charles
    >
    > ---------------------------------------------------------------------------
    > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Ensure Reliable Performance of Mission Critical Applications
    > - Precisely Define and Implement Network Security and Performance
    > Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live
    > Demo
    > Visit us at:
    > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    > ----------------------------------------------------------------------------

    ================================
    La presence de ce texte prouve que ce message
    electronique a ete verifie par un logiciel anti-virus
    jour au moment de l'envoi.

    The presence of this text proves that this e-mail
    has been verified by an up-to-date anti-virus
    software at the time of the sending.
    ================================

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Dan Hanson: "Re: Increasing ICMP Echo Requests"

    Relevant Pages

    • Re: Increasing ICMP Echo Requests
      ... >>We're seeing the same ICMP pattern. ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ... > - Precisely Define and Implement Network Security and Performance ...
      (Incidents)
    • RE: is this the start of something naughty?
      ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ... - Precisely Define and Implement Network Security and Performance Policies ...
      (Incidents)
    • RE: msblast.exe worm FINDINGS (DDoS) ---> Can someone please confirm?
      ... the outbound attacks. ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ... - Precisely Define and Implement Network Security and Performance Policies ...
      (Incidents)
    • Re-Infection with Blaster Worm
      ... in addition to scanning the machine with the Eeye blaster scanning ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ... - Precisely Define and Implement Network Security and Performance Policies ...
      (Incidents)
    • Re: Increasing ICMP Echo Requests
      ... In the company I'm working for, we also have noticed a increasing number of ICPM request. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)