Hello all, Just a fun incident here. This page http://isc.incidents.org/aion.html) describes the modified slapper worm running port 4156 UDP instead of 2002. Our honeypot (RH Linux 7.x) was hit with this thing. I figured that by now ukr.net have taken care of the email address and nobody will get an email from the worm. I was in for a big surprise. A bit less than a half day after the worm left its deadly trace on the box, it started downloading tools and talking IRC (as usual, in good ole Romanian)... I have not noticed any prior scans for port 1052. So it appears that folks are using those newly built worm networks. I suspect that people look for worm scans on their own boxes and then take over the machines that scan. I just started looking thru the logs and I begin to see IRC channels where those "worm" hang out... Best, -- Anton A. Chuvakin, Ph.D., GCIA http://www.chuvakin.org http://www.info-secure.org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 09:53:04 PDT