Re: RE: Increased TCP 139 Activity

[Andrew Simmons <andrews () mis-cds com>]

Choe.Sung Cont. PACAF CSS/SCHP wrote:

> Ron Dufresne wrote:
>
> > If this is indeed the case, the ping sweep will all be packets of 92 byte,
> > these are windows packets, and the recent rcpdcom sploits are the culprit.
>
>
> ICMP packets 92-bytes in size (72 bytes + 20 bytes for header) are usually
> due to a welchia infected host trying to propagate.  It is not a rpcdcom
> exploit.


I believe Windows `tracert' program uses 92 byte ICMP packets.

\a

> V/r,
> Sung J. Choe
> PACAF CSS/SCHP, PACAF NOSC
> Information Assurance Analyst
> DSN: 315-449-4317, Comm: 808-449-4317
>  




The information contained in this message or any of its attachments may be privileged and confidential and intended for 
the exclusive use of the intended recipient. If you are not the intended recipient any disclosure, reproduction, 
distribution or other dissemination or use of this communications is strictly prohibited.  The views expressed in this 
e-mail are those of the individual and not necessarily of MIS Corporate Defence Solutions Ltd.  Any prices quoted are 
only valid if followed up by a formal written quote.  If you have received this transmission in error, please contact 
our Security Manager on 44 (0) 1622 723410.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html