On Wed, Sep 19, 2001 at 11:13:30AM -0600, Brett Glass wrote: > Messages bearing the worm are starting to trickle in, slowly. It > may be that the worm is designed to start e-mailing only after the > infection is a certain number of hours old. > Sadly, the copies of the worm we're receiving are coming from > companies whose employees we'd expect to know better than to > leave machines unprotected -- such as V-One and SCO. Make sure you know who you are throwing stones at. The worm is spoofing the From addresses. I just got done researching a pile of them because people reported one of our majordomo servers was sending out the worm. Considering that it was a Linux box, that would have been a good trick. Header analysis indicated one particular IP address we had never heard of was sending out all the copies of the worm with our majordomo server as the From address. I got five copies of the worm from five different sources and all of them tracked back to one IP address and none of them had any headers indicating that the message had been anywhere near our site. Sigh... Maybe it was someone who had recently subscribed to one of our mailing lists or something, but I can't find where we've ever even been in contact with any address within that /16... > I agree that it will be a very long week. None of our machines > is susceptible to the worm, but our backbone feed is getting > hammered. I wish we had a firewall under our control at our > upstream provider. > --Brett Glass > At 11:08 AM 9/19/2001, jforsterat_private wrote: > >I got a few copies of this worm (via e-mail) this afternoon. > >Sadly, someone else in the office did as well (or hit an infected site). > >It's going to be a long week.... I know of several people who have been burned by browsing a contaminated web site. Then the damn thing drops it's turds all over every directory and on all the network shares it can reach and on and on... Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 14:59:29 PDT