Re: Linux Slapper Worm and Linksys

From: Pavel Lozhkin (pavelat_private)
Date: Fri Sep 20 2002 - 04:35:22 PDT

Next message: Christian Mock: "new IIS worm? (rcp lsass.exe)"

Previous message: gobblesat_private: "[Full-Disclosure] Fwd: iM 313373 gIvE mE wArEz d00d!"
In reply to: Mike Lewinski: "Re: Linux Slapper Worm and Linksys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can't claim that the reason of that is *exactly* Slapper.....but 
linksys in firm where i'm part time security consultant has the same 
problem. It died yesterday and was replaced by CISCO (ohhh......good 
choice i guess) after IDS had detected Slapper scan.

So that i can *CONFIRM* this

Mike Lewinski wrote:
> Unless the Linksys runs a service on tcp/443 (or udp/2002 perhaps), I
> doubt it's the same problem.
> 
> With the Cisco 675s, I believe their http implementation had it's own
> overflows and was knocked out by the requests.
> 
> In this case, it's more likely that the poor Linksys got crushed by the
> load of scanning. An old 2518 we have still in service showed almost 90%
> of available memory consumed by the worm. It also increased cpu
> utilization from 3% to over 50%, and caused a noticeable increase in
> interface errors on both LAN and WAN ports in another case.
> 
> Mike
> 
> 
> ----- Original Message -----
> From: "James Williams" <jwilliamsat_private>
> To: <incidentsat_private>
> Sent: Thursday, September 19, 2002 7:11 AM
> Subject: Linux Slapper Worm and Linksys
> 
> 
> 
>>Has anybody heard of or seen the Slapper worm DoS a Linksys SOHO router
> 
> out
> 
>>of commission? A co-worker whose machine had been infected over the
> 
> weekend
> 
>>had his linksys router die over the same period that his box had been
>>infected with the worm. I know that Nimda had a similar affect on the
> 
> Cisco
> 
>>67x Series ADSL routers running a certain firmware revision and I was
>>wondering if the Slapper had a similar affect with the Linksys SOHO
> 
> routers.
> 
>>
>>James Williams
>>Network Systems Technician
>>West Texas A&M University
>>http://www.wtamu.edu
>>Phone: (806) 651-2162
>>Email: jwilliamsat_private
>>
>>
>>
> 
> ----------------------------------------------------------------------------
> 
>>This list is provided by the SecurityFocus ARIS analyzer service.
>>For more information on this free incident handling, management
>>and tracking system please see: http://aris.securityfocus.com
>>
>>
> 
> 
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

-- 
Pavel
ICQ UIN 39596913 8990192



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Christian Mock: "new IIS worm? (rcp lsass.exe)"
Previous message: gobblesat_private: "[Full-Disclosure] Fwd: iM 313373 gIvE mE wArEz d00d!"
In reply to: Mike Lewinski: "Re: Linux Slapper Worm and Linksys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 20 2002 - 12:05:07 PDT