Hmm. One of the writeups on Netspree says that it connects to an IRC channel on "master.leet-gamer.net" which now reverses to 127.0.0.1. Anyone know what its address was before someone was "helpful"? Apparently the address is hardcoded in the worm someplace, but I don't have a copy to play with (yet). Thanks. Pat Wilson Network Security Manager UCSD ACS/Network Operations pawat_private 6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015 "Larsen, Colin" <colin.larsenat_private> writes: > > Looks like the Netspree worm. We had it infect 3 or 4 PCs yesterday. It > floods the network with broadcast packets on port 80 with spoofed source > IPs. > > Cheers - Colin. > -----Original Message----- > From: Michael Rowe [mailto:mroweat_private] > Sent: Friday, 31 January 2003 12:22 a.m. > To: incidentsat_private > Subject: Re: Packet from port 80 with spoofed microsoft.com ip > > > On 03/01/29 14:11 -0600, NESTING, DAVID M (SBCSI) wrote: > > Are you SURE nothing on your end would have attempted to initiate a > > connection to this site? When you say your Windows computers weren't > > "active", did you mean they were physically powered off, or just idle? > > Yeah, turned off. > > On balance, it seems like the mostly likely explaination is my IP > being used in a spoofed SYN attack. A distant second: the MS web > server sending a wildly delayed ack to a legitimate connection. > > Thanks for the responses! > > -- > Michael Rowe <mroweat_private> > > IM - mroweat_private Prof - ACM, IEEE, Computer Soc. > Web - http://www.mojain.com/ Vice - Barley malt, brewed or > Key - http://mojain.com/keys/mrowe.asc distilled (hold the ice) > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 08:33:22 PST