[logs] sql-worm and the address generator

From: Darin.MARAISat_private
Date: Thu Jan 30 2003 - 01:33:47 PST

  • Next message: Bartlett, Mark A.: "[logs] Log Analysis Book"

    dear list,
    I would like to find out a little more about how the "pseudo random ip
    address engine" works in this worm. The worm is spread by using a pseudo
    random IP address, correct.
    my interest is as follows:
    If a machine does for some reason become infected with the latest ms-sql
    attack then will the infected machine's engine have the intelligent to only
    generate address for the local network or will it try to talk back out to
    the internet.
    Q. Will I see dropped packets in the log files, for infected machines trying
    to connect to unknown addresses on udp/1434. these dropped packets will be
    for devices on the inside of the network trying to talk to the outside
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 09:36:39 PST