At 06:17 AM 7/19/2001, aleph1at_private wrote: >----- Forwarded message from Marc Maiffret <marcat_private> ----- >8. Infect a new host (send .ida worm to a "random" IP address on port 80). > >At this point the worm will resend itself to any IP addresses which it can >connect to port 80 on. It uses multiple send()'s so packet traffic may be >broken up. On a successful completion of send, it closes the socket and goes >to step 6... therefore repeating this loop infinitely. i wonder if these connects originate from port 80, too somewhere i read about a source port 80, but maybe i mistake this with the acknowledging "GET" greets, corecode ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:16:25 PDT