Point of origin for new worm (was Re: AT&T US Network Slowdown?)

[Etaoin Shrdlu <shrdlu () deaddrop org>]

Someone wrote (in a private correspondence):
> On Tue, Aug 19, 2003 at 03:24:50AM -0700, Etaoin Shrdlu wrote:

> > ...but half a gig of snort
> > logs, in a time period where it might normally be a few megabytes at most,
> > is just insane. I have very few rules, unfortunately, rules about Echo
> > requests are necessary. They are almost entirely drowning out any other
> > information, however.

This next paragraph is significant.

> > What's odd is the spread (or lack of it) by this new creature. It seems
> > very localized, not spreading in the same algorithm as the others at all.
> > For instance, most of the garbage pings I'm seeing come from the DSL
> > blocks, very few from the cable modem crowd, and another large bunch from
> > APNIC space, and from Eastern Europe. Weird. I live in the DSL world
> > (natch), so would expect to see a large grouping around my IP space, but
> > not the others. Ah, well, it's probably just an artifact of time zones,
> > considering what a short time it's currently covering (last 5 hours).
>
> Hi..maybe you've located the origin or near origin of the
> infection?

and someone else (on another list) stated:

> We are currently seeing the slowdown on our network in San Jose.

I'd like to point out that my ISP is XO (formerly known as Concentric), and
that it's home base (for me, at least) is in San Jose. I suspect that it is
quite possible that the point of origin for this new piece of crap is
indeed somewhere in the San Jose area, and that it was almost certainly
inserted yesterday morning.

--
...most of us have as our claim to fame the ability to talk to
inanimate objects and convince them they want to listen to us.
                   Valdis Kletnieks
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html