Have a look here : http://www.sophos.com/virusinfo/analyses/w32nachia.html and there : http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html Hope this helps Jean-Luc Cavey 65, boulevard Brune 75014 Paris, France +33 (0) 1 45 43 45 62 +33 (0) 6 15 93 77 96 E-Mail : Jean-Lucat_private ---- Original Message ---- From: "Charles Blackburn" <charlesb@summerfield-technology.co.uk> To: <incidentsat_private> Sent: Monday, August 18, 2003 12:24 PM Subject: is this the start of something naughty? > Hi > > I received approximately 100 of these within the space of 30 minutes > or so from numerous different IP addresses and on my /29 block (2/3 > machines and also the broadcast/and network addresses). Now I've had > a few shall we say erm, "funnies" going on on this one machine lately > with problems when it's rebooted which seem to be fixed by a kernel > rebuild, but that could be a hardware problem. however it could be > more indicative of an attack maybe even a successful one. > > Aug 18 10:46:14 thunder snort: [1:483:2] ICMP PING CyberKit 2.2 > Windows [Classification: Misc activity] [Priority: 3]: {ICMP} > 80.253.133.136 -> xx.xx.xx.120/123/125/127 > > 120/127 are the end of my 8 IP block, 125 is the machine with the > funnies, and 123 is a windows 98 vmware session that I've only just > finished installing windows in. > > it's always those same IP's and never any of the others. > > my question is, what can i do to see whether my box has been > compromised (a rebuild's not much a problem as i was going to do it > anyway :P) and if could any of you "1337" (i use that term loosely) > help me. > > regards > charles > > --------------------------------------------------------------------------- > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and Performance > Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live > Demo > Visit us at: > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 > ---------------------------------------------------------------------------- ================================ La presence de ce texte prouve que ce message electronique a ete verifie par un logiciel anti-virus à jour au moment de l'envoi. The presence of this text proves that this e-mail has been verified by an up-to-date anti-virus software at the time of the sending. ================================ --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 13:05:16 PDT