Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More on the Worm

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Tue, 18 Sep 2001 17:14:03 -0400
On Tue, Sep 18, 2001 at 11:52:37AM -0700, Aj Effin Reznor wrote:

Seems this may also be hitting somehow on/over SAMBA.



A colleague (Alien8) had this to say about his SGI Indy
with SAMBA running:



"I started seeing a printout (w/no actual print command) 
of the file (not sure why) and realized it was coming 
from my indy... there was all sorts of traffic so i ran 
tcpdump, and then turned off samba alltogether and it 
nearly disappeared (the traffic)"


        The worm is known to attempt netbios connections (showing up
as port 136 or 445 connections) and connecting to SMB shares (Windows
or Samba) as guest.  If if can connect, it attempts to propagate
through that share.  Sounds to me like it hit a Samba share and
started to copy itself in but it turn out to be a printer share and
printed instead.  Because Samba is pretty versatile, it's easy to
advertise a share as something it's not.  Like advertising a printer
share but not as a printer.  The worm could have mistaken a printer
share as a drive share.

        You didn't say where the printer was connected (connected to the
Indy would be consistent or direct network connection with a Samba
printer share would be consistent).

        It's highly unlikely that the worm itself was running on the
Indy.  It's known behaviors would be consistent with it connecting to
a share on the Indy and feeding itself in and ending up on the printer.


-aj.


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: