Full Disclosure mailing list archives

RE: RE: Possible new variant of Nachi

From: "Ferris, Robin" <R.Ferris () napier ac uk>
Date: Fri, 26 Sep 2003 10:38:32 +0100

Further to this you add the fact ms03-026 wasn't totally effective, I'm
starting go like this hypothesis even more

RF

-----Original Message-----
From: Schmehl, Paul L [mailto:pauls () utdallas edu]
Sent: 25 September 2003 19:40
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] RE: Possible new variant of Nachi

Working hypothesis is as follows:

Hosts were turned off previously so they didn't show up in routine
scanning.  Then they were turned on and got infected with Nachi.  Nachi
patched for MS03-026.  Then a scan showed them patched for MS03-026 but
not for MS03-039.  Then snort reported their infection.  So, it appears
to be a timing issue rather than something new.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Possible new variant of Nachi Schmehl, Paul L (Sep 25)
- <Possible follow-ups>
- RE: RE: Possible new variant of Nachi Ferris, Robin (Sep 26)