As I think this has already been posted here that it would seem that this may be part of the new so called "good" worm if that in fact really is one, which seems to patch the machine once infected and removes any traces of the previous worm as well as itself on January 1, 2004, this does create a lot of traffic as it does search for other vulnerable machines, is this a good or bad thing ? Did the writer of this do it to help remove the infection and spread of the previous worm or some other hidden agenda ? Mcafee link http://us.mcafee.com/virusInfo/default.asp?id=nachi Symantec Link http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm .html Bruce Martins Systems Administrator EXTEND>>MEDIA 190 Liberty Street Toronto, Ontario Canada M6K 3L5 _______________________ e:bmartinsat_private t: (416) 535-4222 ext. 2307 f: (416) 535-1201 http://www.extend.com -----Original Message----- From: Kevin Patz [mailto:jambo_catat_private] Sent: Monday, August 18, 2003 4:46 PM To: incidentsat_private In-Reply-To: <3F411CBC.2020203at_private> Upon reading of this, I enabled logging of ping requests on my firewall. So far I've only seen three with len=92: 24.64.90.16 (Shaw Communcations) 24.60.234.130 (Comcast, formerly attbi) 24.61.246.103 (Comcast, formerly attbi) My IP is on Comcast, formerly attbi, on a 24.62 IP range. I also have some pings with len=60 but they look more like "normal" ICMP echo requests. >Ken, >We're seeing the same ICMP pattern. >Is this from the blaster? We are looking into filtering ICMP echo >request on our external routers. > >Here is a snip from our IDS, > [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] >[Classification: Misc activity] [Priority: 3] >[Xref => http://www.whitehats.com/info/IDS154] >Event ID: 179333 Event Reference: 0 >08/18/03-18:27:28.386411 65.83.120.72 -> xx.xx.xx.xx >ICMP TTL:118 TOS:0x0 ID:21399 IpLen:20 DgmLen:92 >Type:8 Code:0 ID:2 Seq:61261 ECHO >AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ >AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ >AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ >AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................ > > >Thanks >Daniel Williams >Cedar Document Technologies ------------------------------------------------------------------------ --- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 09:43:02 PDT