Security Incidents mailing list archives
Possible variant of Blaster/Nachi/Welchia?
From: Jeff Kell <jeff-kell () utc edu>
Date: Fri, 26 Sep 2003 11:25:18 -0400
I have seen some STRANGE traffic on our dorms this morning. The dorms are all on a private network 172.18.0.0. I have hosts (10 so far) that are doing this:
spoofed 172.x.x.x:123 UDP --> random 172.x.x.x:123 same spoof 172.x.x.x ICMP --> another random 172.x.x.x same spoof 172.x.x.x ICMP --> another random 172.x.x.x About once or twice a minute the ICMPs continue, but the UDP isn't repeated.It appears to be spreading (new machines showing up doing the same thing). Any ideas, clues, ring any bells?
Jeff --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Possible variant of Blaster/Nachi/Welchia? Jeff Kell (Sep 26)
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Jeff Kell (Sep 26)
- <Possible follow-ups>
- Re: Possible variant of Blaster/Nachi/Welchia? Meyers, Adam (Sep 26)