Bugtraq mailing list archives
RE: Router Worm?
From: "BugTrap" <bugtrap () intercept net>
Date: Thu, 20 Nov 2003 16:10:11 -0500
I am now seeing these as well, I believe this is something new as I have not seen this on my network until now and I've had infected welchia infected pc's. Michael -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Posted At: Thursday, November 20, 2003 12:14 PM Posted To: BugTrap Conversation: Router Worm? Subject: RE: Router Worm? I've never seen it do that, in the about 50 or so instances I've encountered. Does it only do it occasionally? Does it attack the same host against which 135/tcp failed, or some random third party? (Does it, perhaps, distinguish between 135/tcp "failed to connect" and 135/tcp "connected, but target was patched and so could not be infected"?) David Gillett
-----Original Message----- From: Jose Nazario [mailto:jose () monkey org] Sent: November 19, 2003 17:06 To: Jay D. Dyson Cc: Bugtraq Subject: Re: Router Worm? its welchia/nachi. when it can't connect via 135/tcp, it will attempt an exploit against a webdav server (see MS03-007). i've seen an uptick in this in the past couple of days, too, visible on a few httpd servers i track. and i, too, was caught off guard until someone pointed out it was nachi to me. digging into the tech details showed that i (and many of us) had been overlooking a secondary attack. ___________________________ jose nazario, ph.d. jose () monkey org http://monkey.org/~jose/
Current thread:
- Router Worm? Chris Strom (Nov 19)
- Re: Router Worm? Fred Laxton (Nov 19)
- Re: Router Worm? Niels Bakker (Nov 19)
- Re: Router Worm? Jay Jacobson (Nov 19)
- <Possible follow-ups>
- RE: Router Worm? BugTrap (Nov 20)