Full Disclosure mailing list archives
RE: Re: Outbreak of a virus on campus
From: "David Hale" <ddh () mtu edu>
Date: Sun, 25 Apr 2004 03:04:49 -0400 (EDT)
Most folks should probably change the sid number to something above 1000000 to comply with snort standards. My sid number was fairly random based off the first number that came to my head. -Dave Hale Sr. Security Specialist Michigan Technological University
We have currently blocked connections to port to/from 7000 on the following hosts: 130.74.82.206 131.234.100.43 193.87.20.31 This seems to have contained the spread of the worm within our campus. The list of hosts was gathered with a snort signature of: alert tcp $HOME_NET any -> any 7000 (msg:"agobot IRC traffic"; content:"weednet";classtype:bad-unknown; sid:71727; rev:1;) Until the block was in place we had shut down around 50 hosts (mainly on our dorm network) that had been infected with the worm. -Dave Hale Sr. Security Specialist Michigan Technological University
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Outbreak of a virus on campus RMueller (Apr 24)
- <Possible follow-ups>
- RE: Re: Outbreak of a virus on campus Morning Wood (Apr 24)
- RE: Re: Outbreak of a virus on campus Willem Koenings (Apr 24)
- RE: Re: Outbreak of a virus on campus David Hale (Apr 25)
- RE: Re: Outbreak of a virus on campus David Hale (Apr 25)
- RE: Re: Outbreak of a virus on campus David Hale (Apr 25)