[Dshield] 1214 (Kazaa) multiple hits & 80 as well

Mercy Mercymail at mindspring.com
Fri Jun 21 21:25:59 GMT 2002


Ok, stupid question.... it's not my machine that has a worm is it?  I do run
my virus protection all the time, and it scans my whole system weekly.

I'm so paranoid about virus/worms lol.  My dad had one that wiped out his
system, and when we installed norton on my husband's machine, we found sub
7.  Scarry.

Mercy
----- Original Message -----
From: "Lauro, John" <jlauro at umflint.edu>
To: <list at dshield.org>
Sent: Thursday, June 20, 2002 11:48 PM
Subject: RE: [Dshield] 1214 (Kazaa) multiple hits & 80 as well


> Then..... This guy keeps scanning port 80. The IP is very close to
> mine. Notice that the attacker's ip changes from 165.247.115.148 to
> 165.247.88.159 and other 165.247.xx.xxx variations. DO you think it
> is the same person?
>
>
> Probably not the same person, but the same worm.
>
> Some worms (code-red II, etc...) base their random address on their
> own address, and weight it in the following order:
> Same network/24 very likely
> Same network/16
> Same network/8
> Pure random less likely.
>
> I forget the exact ratios, but you get the idea...
>
> Anyways, this proved to be very effective to worm writers...
> spreading much quicker then the first attempts that were just
> random.....  Three main reasons:
> 1. Portion of net the same, more likely machines are closer and thus
> faster connections.  This is especially true for /24, etc...
> 2. If one machine is can be compromised by the worm, then another
> machine in the same network is likely to also be...
>
> One less obvious, but I heard reports of:
> 3. If one machine is infected behind a firewall (ie: a laptop is
> infected at home, and then connected to corporate net), it is more
> likely to cause an outbreak behind the firewall instead of spending
> all it's time attacking outside...
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list