Security Incidents mailing list archives
RE: POSSIBLE WORM / DDOS ?
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Fri, 5 Apr 2002 12:20:51 -0500
Certainly looks strange. Can you tell us something about the infected host (OS, services, etc.)? It's hard to tell how this is operating without that information. It will also give us insight into whether this way have been a worm, virus infection, targeted compromise, etc. Also curious as to what information, if any, you have that leads you to believe that this may be a worm. It's targets appear to be random (not generated by any obvious, calculated method), which may be coming from a list, or could be entered manually if someone has control of this box. Also, a quick spot check indicates that most of the destinations are FTP servers, all of which appear to be properly functioning as FTP servers (nothing else has taken over those ports). Could just be a compromised host being used to scan for anon. FTP, etc. It also doesn't appear to be a DDoS, as you're really not hitting any single target with any amount of data. And no agents appear to be running (first glance, anyway) on the targets. I don't have NMAP capability outside of this network right now, so I can't check. Cheers Keith -----Original Message----- From: Eric Weaver [mailto:eric.weaver () ids2 net] Sent: Friday, April 05, 2002 10:00 AM To: Incidents () securityfocus com Subject: POSSIBLE WORM / DDOS ? POSSIBLE WORM / DDOS Appears to be target port 21 and/or spreading via SMB. This is all I have right now: ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- POSSIBLE WORM / DDOS ? Eric Weaver (Apr 05)
- <Possible follow-ups>
- RE: POSSIBLE WORM / DDOS ? McCammon, Keith (Apr 05)