Well we had two machines infected. I could not find anything in any of my logs that indicated the infection or trouble communicating with other machines. That may just be because I did not have enough auditing enable though... ----- Original Message Follows ----- > dear list, > > I would like to find out a little more about how the > "pseudo random ip address engine" works in this worm. The > worm is spread by using a pseudo random IP address, > correct. > > my interest is as follows: > > If a machine does for some reason become infected with the > latest ms-sql attack then will the infected machine's > engine have the intelligent to only generate address for > the local network or will it try to talk back out to the > internet. > > Q. Will I see dropped packets in the log files, for > infected machines trying to connect to unknown addresses > on udp/1434. these dropped packets will be for devices on > the inside of the network trying to talk to the outside > interface. > > regards > Darin > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis =========================== Kevin W. Gagel Network Administrator College of New Caledonia gagelat_private (250) 561-2131 loc 448 -------------------------------- The College of New Caledonia Visit us at http://www.cnc.bc.ca -------------------------------- _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 11:53:22 PST