Re: slapper worm varient "cinik"

From: Anton A. Chuvakin (antonat_private)
Date: Wed Sep 25 2002 - 11:38:30 PDT

Next message: Gaydosh, Adam: "RE: new IIS worm? (rcp lsass.exe)"

Previous message: Gordon Chamberlin: "Modap Worm Infection and Subsequent Scanning"
In reply to: James P. Kinney III: "slapper worm varient "cinik""
Next in thread: Mark: "Re: slapper worm varient "cinik""
Reply: Mark: "Re: slapper worm varient "cinik""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James and all,

>Apparently the intruder got rather upset I spoiled his fun and about 15
>minutes after I shut him out, I was a victim of a udp-based DOS attack.
Actually, it wasn't an intruder; the UDP flood you are experiencing is a
consequence of a worm network design. Most likely the worm managed to join
the network before you shut it down and now its peers are trying to access
your machine.

For more info got to http://isc.incidents.org/analysis.html?id=169 and
http://isc.incidents.org/analysis.html?id=167

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Gaydosh, Adam: "RE: new IIS worm? (rcp lsass.exe)"
Previous message: Gordon Chamberlin: "Modap Worm Infection and Subsequent Scanning"
In reply to: James P. Kinney III: "slapper worm varient "cinik""
Next in thread: Mark: "Re: slapper worm varient "cinik""
Reply: Mark: "Re: slapper worm varient "cinik""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 19:59:15 PDT