Security Incidents mailing list archives
Re: Worm on 445/tcp?
From: Stephen Friedl <steve () unixwiz net>
Date: Tue, 17 Dec 2002 17:46:55 -0800
my second octect is 144, above the 127 rule. but, unless you are reading backwards (and the second being the third and the fourth being the first) then the 216 is still above the 127 rule... Then again, i may have missed part of the posts and spt could be originating from 445 as well, which in that case this could be just regular network rejects as usual.
Your logs were almost certainly not from this worm: the code is quite clear that the second and fourth octets (1.*2*.3.*4*) won't be above 127, and I do not believe this worm was even around back on the 9th - myNetWatchman first saw this activity on the 14th. Looks like yer usual internet riff-raff to me :-) Steve --- Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561 www.unixwiz.net | I speak for me only | KA8CMY | steve () unixwiz net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Worm on 445/tcp? Scott A . McIntyre (Dec 17)
- Re: Worm on 445/tcp? Scott Fendley (Dec 17)
- Re: Worm on 445/tcp? Joe Blatz (Dec 17)
- Re: Worm on 445/tcp? james (Dec 17)
- Re: Worm on 445/tcp? Stephen J. Friedl (Dec 17)
- Re: Worm on 445/tcp? Ryan Yagatich (Dec 18)
- <Possible follow-ups>
- RE: Worm on 445/tcp? OBrien, Brennan (Dec 17)
- Re: Worm on 445/tcp? Tom . Gast (Dec 17)
- Re: Worm on 445/tcp? Stephen Friedl (Dec 18)
- Re: Worm on 445/tcp? Kyle Lai (Dec 20)