Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: new IIS worm? (rcp lsass.exe)

From: "Eloy A. Paris" <peloy () chapus net>
Date: Tue, 24 Sep 2002 14:54:22 -0400
Mike,

On Tue, Sep 24, 2002 at 09:56:16AM -0600, Mike Lewinski wrote:
[...]

FYI, the IRC server mapped to lar.ath.cx was shut down around 12:50pm MDT
yesterday, likely in response to a flood of incidents@ users joining the
channel....

Later, the A record for the server was changed:

;; ANSWER SECTION:
lar.ath.cx.             86400   IN      A       10.0.1.128

My test machine just grinds away trying to connect to the single hostname.
It will resolve hostname and then send a SYN on 6667 about once per
second.  No other unusual network activity has been observed from it.


Do you mean that your test machine was not able to connect to lar.ath.cx
(10.0.1.128)? If so, it is not being able to connect because it is an
address that is not valid for the public Internet, so routers are not
forwarding traffic to the 10.x.x.x network.

Cheers!

Eloy.-

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: