A couple things I seem to be seeing: Infected hosts do what appears to be a netscan. Infected hosts produce an INSANE amount of ARP traffic. Also I'm keying on the following file searches: mmc.exe *.eml root.exe So far I seem to be finding the infected machines. Can anyone else out there confirm the ARP traffic correlation? ---- Justin Hahn ProfitLogic jhahnat_private 11 Cambridge Center Systems Administrator Cambridge, MA 02142 o: 617-218-1986 www.profitlogic.com m: 617-501-2743 f: 617-218-1901 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 16:23:23 PDT