[logs] sql-worm and the address generator

• Previous message: Daniele Muscetta: "[logs] Novell logs"
• Next in thread: Devin Kowatch: "Re: [logs] sql-worm and the address generator"
• Reply: Devin Kowatch: "Re: [logs] sql-worm and the address generator"
• Reply: Kevin W. Gagel: "Re: [logs] sql-worm and the address generator"
• Reply: Rainer Gerhards: "RE: [logs] sql-worm and the address generator"
• Reply: Jeremy Mates: "[logs] Re: sql-worm and the address generator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

dear list,

I would like to find out a little more about how the "pseudo random ip
address engine" works in this worm. The worm is spread by using a pseudo
random IP address, correct.

my interest is as follows:

If a machine does for some reason become infected with the latest ms-sql
attack then will the infected machine's engine have the intelligent to only
generate address for the local network or will it try to talk back out to
the internet.

Q. Will I see dropped packets in the log files, for infected machines trying
to connect to unknown addresses on udp/1434. these dropped packets will be
for devices on the inside of the network trying to talk to the outside
interface.

regards
Darin 
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Bartlett, Mark A.: "[logs] Log Analysis Book"
• Previous message: Daniele Muscetta: "[logs] Novell logs"
• Next in thread: Devin Kowatch: "Re: [logs] sql-worm and the address generator"
• Reply: Devin Kowatch: "Re: [logs] sql-worm and the address generator"
• Reply: Kevin W. Gagel: "Re: [logs] sql-worm and the address generator"
• Reply: Rainer Gerhards: "RE: [logs] sql-worm and the address generator"
• Reply: Jeremy Mates: "[logs] Re: sql-worm and the address generator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 09:36:39 PST