Full Disclosure mailing list archives

RE: Re: Outbreak of a virus on campus

From: "David Hale" <ddh () mtu edu>
Date: Sun, 25 Apr 2004 03:04:49 -0400 (EDT)

  Most folks should probably change the sid number to something above
1000000 to comply with snort standards.   My sid number was fairly
random based off the first number that came to my head.

  -Dave Hale
   Sr. Security Specialist
   Michigan Technological University

  We have currently blocked connections to port to/from 7000 on the
following hosts:

130.74.82.206
131.234.100.43
193.87.20.31

  This seems to have contained the spread of the worm within our campus.
The list of hosts was gathered with a snort signature of:

alert tcp $HOME_NET any -> any 7000 (msg:"agobot IRC traffic";
content:"weednet";classtype:bad-unknown; sid:71727; rev:1;)

  Until the block was in place we had shut down around 50 hosts (mainly on
our dorm network) that had been infected with the worm.

  -Dave Hale
   Sr. Security Specialist
   Michigan Technological University



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Outbreak of a virus on campus RMueller (Apr 24)
- <Possible follow-ups>
- RE: Re: Outbreak of a virus on campus Morning Wood (Apr 24)
- RE: Re: Outbreak of a virus on campus Willem Koenings (Apr 24)
  - RE: Re: Outbreak of a virus on campus David Hale (Apr 25)
    - RE: Re: Outbreak of a virus on campus David Hale (Apr 25)