> > In short, it looks like there's two sets of worms out there. One is > scanning large contiguous netblocks in an obvious fashion, the other is > hunting and pecking about random IP addresses. Wrong! What is happening is the worm always hits port 80 if it hits port 80 ( regardless if its apache or iis... its port 80 ) it then drops the buffer overflow code on it. I have seen 4800 attacks on 3 class c's so far I am about to hook in a few more sensors all night. The worm attacks a random ip on port 80 if the port is closed you see this: Jul 19 19:04:49 ephesians snort: IDS3/scan_Traceroute TCP: 199.103.224.4:3183 -> 216.84.196.110:80 Jul 19 19:04:49 ephesians snort: IDS3/scan_Traceroute TCP: 199.103.224.4:3183 -> 216.84.196.110:80 If port 80 is open you will then see this: Jul 19 17:59:52 ephesians/216.84.194.200 snort: IDS552/web-iis_IIS ISAPI Overflo w ida: 203.69.169.4:2218 -> 216.84.194.3:80 Jul 19 17:59:52 ephesians/216.84.194.200 snort: IDS552/web-iis_IIS ISAPI Overflow ida: 203.69.169.4:2218 -> 216.84.194.3:80 Also to add this is crashing novell bordermanager servers, cisco ios ( with web administration enabled etc etc... ) Hope this helps someone. -Daniel Uriah Clemens > > - -- > > "A true friend stabs you in the front." > - Oscar Wilde > > -----BEGIN PGP SIGNATURE----- > Comment: For info see http://www.gnupg.org > > iD8DBQE7V15N36NTGsm+2Z4RAlnTAJ9VCsZ7riUp3WknpU9q9ny6ynSAtACgzTYc > cB7VrZUUKd6HIDmEXu8D6MU= > =1leB > -----END PGP SIGNATURE----- >
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 22:04:43 PDT