Security Basics mailing list archives
Re: network worm
From: Mario Pascucci <ilpettegolo () yahoo it>
Date: Thu, 09 Dec 2004 21:30:09 +0100
Il mer, 2004-12-08 alle 23:24, l c ha scritto:
Hi all, in the past days our network was stressed from a lot of network worm (not find from local antivirus, already up to date) with a stop of the traffic caused from a lots of arp request. The last one was the WORM_SDBOT.ACJ a worm that propagates itself using network shares and a worm that trend micro (up to date) was unable to find, causing the saturation of the network switches and the related stop of all the work. The question is: "is there the possibility to setup an instrument (even linux based) to sniff the network traffic with capabilities to find worm?". We have already a linux based tool for network monitoring, this tool is useful to isolate host with a lots of ARP request (typical of the worm), but this tool can't point us to which worm is doing the traffic. Thanks a lot Luis
I use a Linux box with Samba share named "C$" configured to be "world" writable, with a directory tree like: winnt\ | \system \system32 and with two users "admin" and "administrator" without password, so that these worms that propagates through shares can be easily "trapped" in it. I capture about 10-15 new worms at week directly from Internet (I have a flat ADSL). Mail me at the private address if you want more details. HTH -- Mario "Reliant" Pascucci http://ilpettegolo.altervista.org/
Current thread:
- network worm l c (Dec 08)
- RE: network worm Shawn Wall (Dec 09)
- RE: network worm Harshul Nayak (Dec 09)
- Re: network worm Brandon Glaze (Dec 10)
- Re: network worm Mario Pascucci (Dec 09)
- Re: network worm xyberpix (Dec 09)
- Re: network worm Kirk Schafer (Dec 17)
- <Possible follow-ups>
- RE: network worm Joe Cervantes (Dec 09)
- Re: network worm Steve Phipps (Dec 09)