[Dshield] 1214 (Kazaa) multiple hits & 80 as well
Mercymail at mindspring.com
Fri Jun 21 21:25:59 GMT 2002
Ok, stupid question.... it's not my machine that has a worm is it? I do run
my virus protection all the time, and it scans my whole system weekly.
I'm so paranoid about virus/worms lol. My dad had one that wiped out his
system, and when we installed norton on my husband's machine, we found sub
----- Original Message -----
From: "Lauro, John" <jlauro at umflint.edu>
To: <list at dshield.org>
Sent: Thursday, June 20, 2002 11:48 PM
Subject: RE: [Dshield] 1214 (Kazaa) multiple hits & 80 as well
> Then..... This guy keeps scanning port 80. The IP is very close to
> mine. Notice that the attacker's ip changes from 126.96.36.199 to
> 188.8.131.52 and other 165.247.xx.xxx variations. DO you think it
> is the same person?
> Probably not the same person, but the same worm.
> Some worms (code-red II, etc...) base their random address on their
> own address, and weight it in the following order:
> Same network/24 very likely
> Same network/16
> Same network/8
> Pure random less likely.
> I forget the exact ratios, but you get the idea...
> Anyways, this proved to be very effective to worm writers...
> spreading much quicker then the first attempts that were just
> random..... Three main reasons:
> 1. Portion of net the same, more likely machines are closer and thus
> faster connections. This is especially true for /24, etc...
> 2. If one machine is can be compromised by the worm, then another
> machine in the same network is likely to also be...
> One less obvious, but I heard reports of:
> 3. If one machine is infected behind a firewall (ie: a laptop is
> infected at home, and then connected to corporate net), it is more
> likely to cause an outbreak behind the firewall instead of spending
> all it's time attacking outside...
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list