Re: [logs] sql-worm and the address generator

From: Kevin W. Gagel (gagelat_private)
Date: Thu Jan 30 2003 - 11:20:02 PST

  • Next message: Sweth Chandramouli: "Re: [logs] Log Analysis Book"

    Well we had two machines infected. I could not find anything
    in any of my logs that indicated the infection or trouble
    communicating with other machines. That may just be because
    I did not have enough auditing enable though...
    ----- Original Message Follows -----
    > dear list,
    > I would like to find out a little more about how the
    > "pseudo random ip address engine" works in this worm. The
    > worm is spread by using a pseudo random IP address,
    > correct.
    > my interest is as follows:
    > If a machine does for some reason become infected with the
    > latest ms-sql attack then will the infected machine's
    > engine have the intelligent to only generate address for
    > the local network or will it try to talk back out to the
    > internet.
    > Q. Will I see dropped packets in the log files, for
    > infected machines trying to connect to unknown addresses
    > on udp/1434. these dropped packets will be for devices on
    > the inside of the network trying to talk to the outside
    > interface.
    > regards
    > Darin 
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysisat_private
    Kevin W. Gagel
    Network Administrator
    College of New Caledonia
    (250) 561-2131 loc 448
    The College of New Caledonia    
    Visit us at
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 11:53:22 PST