Security Incidents mailing list archives
Re: new IIS worm? (rcp lsass.exe)
From: "Eloy A. Paris" <peloy () chapus net>
Date: Tue, 24 Sep 2002 14:54:22 -0400
Mike, On Tue, Sep 24, 2002 at 09:56:16AM -0600, Mike Lewinski wrote: [...]
FYI, the IRC server mapped to lar.ath.cx was shut down around 12:50pm MDT yesterday, likely in response to a flood of incidents@ users joining the channel.... Later, the A record for the server was changed: ;; ANSWER SECTION: lar.ath.cx. 86400 IN A 10.0.1.128 My test machine just grinds away trying to connect to the single hostname. It will resolve hostname and then send a SYN on 6667 about once per second. No other unusual network activity has been observed from it.
Do you mean that your test machine was not able to connect to lar.ath.cx (10.0.1.128)? If so, it is not being able to connect because it is an address that is not valid for the public Internet, so routers are not forwarding traffic to the 10.x.x.x network. Cheers! Eloy.- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: new IIS worm? (rcp lsass.exe), (continued)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Lasse Sundström (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
- Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Eloy A. Paris (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Mark Challender (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) James Williams (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Ben Timby (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) sunzi (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) Faisal Ashraf (Sep 26)
- Re: new IIS worm? (rcp lsass.exe) Christoph Puppe (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 24)
(Thread continues...)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)