* Darin.MARAISat_private <Darin.MARAISat_private> > Q. Will I see dropped packets in the log files, for infected machines > trying to connect to unknown addresses on udp/1434. these dropped > packets will be for devices on the inside of the network trying to > talk to the outside interface. A new log entry I saw recently, presumably related to Slammer, from Linux systems running the 2.4 kernel: tomodachi kernel: 211.172.208.18 sent an invalid ICMP error to a broadcast. jup kernel: 210.221.11.231 sent an invalid ICMP error to a broadcast. dost kernel: 62.2.180.2 sent an invalid ICMP error to a broadcast. The three IP addresses are nowhere near the subnet the systems in question are on, though I am not sure whether the remote systems are infected with the worm, or just responding to probes from it. Or whether the logs were coincidental with the worm... _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 11:52:12 PST