nanog mailing list archives
Re: W32/Sobig-F - Halflife correlation ???
From: Owen DeLong <owen () delong com>
Date: Thu, 28 Aug 2003 09:58:30 -0700
Realistically, it doesn't need a hole to communicate. All it needs to dois impersonate a player that doesn't mind dying alot. It can still communicate with it's "team-mates" using the built-in communications channels in the game
and it can still use CS servers as a directory service. These are FEATURES of the game with no vulnerability required. Owen--On Tuesday, August 26, 2003 6:12 AM -0500 Adam 'Starblazer' Romberg <star () extremepcgaming net> wrote:
Regarding the half life exploits, the 'remote root' exploits have been addressed to VALVe and they were fixed in 3.1.1.1d for linux (4.1.1.1d for win32).. which was released July 30th 2003[1]. Now, the bug was reported to VALVe on April 18th 2003, but it didnt hit bugtraq until July 29th, 2003[2]. On the other hand though, alot of server admins(from what I can grasp from the hlds_linux mailing list) do not run x.1.1.1d for the simple fact that it uses a bit more CPU then x.1.1.0c. There is an unoffical patch for x.1.1.0c that does plug the hole. Unless this worms communicating with an unknown hole or something... Thanks Adam [1] http://www.mail-archive.com/hlds_linux%40list.valvesoftware.com/msg17381. html [2] http://www.securityfocus.com/archive/1/330880/2003-07-26/2003-08-01/0 ---------------------------------------------------- Adam 'Starblazer' Romberg Appleton: 920-738-9032 System Administrator ExtremePC LLC -=- http://www.extremepcgaming.net On Mon, 25 Aug 2003, Darren Smith wrote:Did anyone else see anything with regards to this thread? Regards Darren Smith ----- Original Message ----- From: "Darren Smith" <data () barrysworld com> To: "Robert Blayzor" <rblayzor () inoc net>; "North American Network Operators Group" <nanog () merit edu> Sent: Saturday, August 23, 2003 1:22 PM Subject: Re: W32/Sobig-F - Halflife correlation ??? > > Hi > > Just a quick look at my syslog file, where MOO is the name of my ACL. > > fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c > 2383 > > fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c > 459 > > fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c > 210 > > fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c > 59 > > As you can see most of them were on 27015, these logs were from just > one of my transit interfaces. > > Best Regards > > Darren Smith > > ----- Original Message ----- > From: "Robert Blayzor" <rblayzor () inoc net> > To: "North American Network Operators Group" <nanog () merit edu> > Sent: Saturday, August 23, 2003 1:05 PM > Subject: Re: W32/Sobig-F - Halflife correlation ??? > > > > > > On 8/23/03 7:17 AM, "Darren Smith" <data () barrysworld com> wrote: > > > > > They were trying to hit servers in multiple subnets, all on ports > > > 270XX. > > > > I'm not sure on this. Lots of gaming servers use the 270XX UDP > > range. Quake3, HL, etc. > > > > It may be possible it's just probing for other HL servers running on > > different ports. A lot of these games also use the same gaming > > engine for the network and graphics abilities, so it's possible HL > > may not be the > only > > "game server" in the mix, it may be any game that uses the HL > > engine. I know there are several out there, Counterstrike being one > > of them. > > > > So if it's not looking for a HL only exploit, I'd bet it's trying to > > get > the > > infected machines to link up and communicate via the network of > > gaming servers. This could be very bad because there could be > > virtually no way > to > > stop this other than taking down the "Game Spy" type networks so the > > computers can't find each other. > > > > -- > > Robert Blayzor, BOFH > > INOC, LLC > > rblayzor () inoc net > > PGP: http://www.inoc.net/~dev/ > > Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9 > > > > "Oh my God, Space Aliens!! Don't eat me, I have a wife and kids! > > Eat them!" -- Homer J. Simpson > > > > > > > >
Current thread:
- W32/Sobig-F - Halflife correlation ??? Matt Martini (Aug 22)
- Re: W32/Sobig-F - Halflife correlation ??? Robert Blayzor (Aug 22)
- Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 23)
- Re: W32/Sobig-F - Halflife correlation ??? Robert Blayzor (Aug 23)
- Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 23)
- Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 26)
- Re: W32/Sobig-F - Halflife correlation ??? Adam 'Starblazer' Romberg (Aug 26)
- Re: W32/Sobig-F - Halflife correlation ??? Owen DeLong (Aug 28)
- Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 23)
- Re: W32/Sobig-F - Halflife correlation ??? Robert Blayzor (Aug 22)