On Tue, Sep 18, 2001 at 11:52:37AM -0700, Aj Effin Reznor wrote: > Seems this may also be hitting somehow on/over SAMBA. > A colleague (Alien8) had this to say about his SGI Indy > with SAMBA running: > "I started seeing a printout (w/no actual print command) > of the file (not sure why) and realized it was coming > from my indy... there was all sorts of traffic so i ran > tcpdump, and then turned off samba alltogether and it > nearly disappeared (the traffic)" The worm is known to attempt netbios connections (showing up as port 136 or 445 connections) and connecting to SMB shares (Windows or Samba) as guest. If if can connect, it attempts to propagate through that share. Sounds to me like it hit a Samba share and started to copy itself in but it turn out to be a printer share and printed instead. Because Samba is pretty versatile, it's easy to advertise a share as something it's not. Like advertising a printer share but not as a printer. The worm could have mistaken a printer share as a drive share. You didn't say where the printer was connected (connected to the Indy would be consistent or direct network connection with a Samba printer share would be consistent). It's highly unlikely that the worm itself was running on the Indy. It's known behaviors would be consistent with it connecting to a share on the Indy and feeding itself in and ending up on the printer. > -aj. Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 16:46:03 PDT