[Dshield] New signature?
gbroiles at well.com
Sun Aug 12 07:13:28 GMT 2001
At 04:43 PM 8/11/2001 -0700, John Groseclose wrote:
>That's the eEye vulnerability scanner. Some twit is scanning your
>machine/network to see if you're open to Code Red.
>Looks like it's coming from dsl092-004-240.sfo1.dsl.speakeasy.net -
>there's been a LOT of this kind of thing from various Speakeasy hosts for
>the last week.
>Repeated notes to abuse at speakeasy.net and suppoer at speakeasy.net have gone
they were probably too busy with their own unannounced, un-consented-to
scan of their subscribers using Eeye's scanner - I saw the scan, noticed
the similarity to CR I/II but the different signature, and called their
support people to ask why one of their webservers was being used to scan my
hosts - they said they were doing it to check for infected machines, that
they didn't see any reason to give a heads-up or ask permission first, and
that they'd only be contacting subscribers who were apparently
infected/vunlerable. That might have made sense post-CR I, but after CR II,
I don't think it's reasonable to make any inferences or assumptions about
what state a machine is in after it's been left rooted and vulnerable like
that, especially where it's busily broadcasting its existence and
vulnerability to other machines on the net.
I have also seen a significant increase in TCP/UDP scans from within
Speakeasy's IP block on port 139 in the past few days - I did some grepping
to look for matches between my logs of infected CR II hosts and the hosts
doing the 139 probes - didn't find any correlation, but am not sure that
means much, given the random nature of CR II propagation and the apparently
linear port 139 scans. (I've got 4 IP's, so it's easy to watch the scans
walk up my block of addresses). It seems reasonable to think some of those
hosts poking around on 139 were rooted with CR II and are now being used to
look in a more methodical fashion for more interesting victims.
On the other hand, the only machines I've got exposed to the world are
locked-down *BSD's, and I'm getting bored with playing worm whack-a-mole
with logfiles, and have stopped watching this stuff carefully. It's
interesting to watch the worm spread, but nothing I've seen has risen
beyond the level of annoyance, and I don't think there's anything I can do
to make unmotivated (or unwitting) Windows NT/2K sysadmins bring their
systems up to a reasonable level of security such that they're not
endangering (or annoying) their network neighbors.
gbroiles at well.com
"We have found and closed the thing you watch us with." -- New Delhi street kids
More information about the list