Security Incidents mailing list archives

Re: Worm on 445/tcp?

From: Stephen Friedl <steve () unixwiz net>
Date: Tue, 17 Dec 2002 17:46:55 -0800

my second octect is 144, above the 127 rule. but, unless you are reading 
backwards (and the second being the third and the fourth being the first)
then the 216 is still above the 127 rule... Then again, i may have missed 
part of the posts and spt could be originating from 445 as well, which in 
that case this could be just regular network rejects as usual.


Your logs were almost certainly not from this worm: the code is quite clear
that the second and fourth octets (1.*2*.3.*4*) won't be above 127, and
I do not believe this worm was even around back on the 9th - myNetWatchman
first saw this activity on the 14th.

Looks like yer usual internet riff-raff to me :-)

Steve

--- 
Stephen J Friedl | Software Consultant | Tustin, CA |   +1 714 544-6561
www.unixwiz.net  | I speak for me only |   KA8CMY   | steve () unixwiz net

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Worm on 445/tcp? Scott A . McIntyre (Dec 17)
- Re: Worm on 445/tcp? Scott Fendley (Dec 17)
- Re: Worm on 445/tcp? Joe Blatz (Dec 17)
  - Re: Worm on 445/tcp? james (Dec 17)
- Re: Worm on 445/tcp? Stephen J. Friedl (Dec 17)
  - Re: Worm on 445/tcp? Ryan Yagatich (Dec 18)
- <Possible follow-ups>
- RE: Worm on 445/tcp? OBrien, Brennan (Dec 17)
- Re: Worm on 445/tcp? Tom . Gast (Dec 17)
- Re: Worm on 445/tcp? Stephen Friedl (Dec 18)
- Re: Worm on 445/tcp? Kyle Lai (Dec 20)