[Dshield] What should I do next

Johannes B. Ullrich jullrich at sans.org
Fri May 10 11:32:19 GMT 2002

> May 9 10:12:03 server IPT: Hacker_root.exe: IN=eth0 OUT= MAC=
> SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=112 TOS=0x00 PREC=0x00 TTL=111
> ID=2054 DF PROTO=TCP SPT=3591 DPT=80 WINDOW=17520 RES=0x00 ACK PSH URGP=0

yet another Nimda infected host in the neighborhood. The owner
may be more interested in cleaning it up if you tell them that
the system is probably wide open by now and any information on
it can be read by anybody. It probably will soon have a couple
additional backdoors installed and could be used by anybody to
break into further systems.

jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

More information about the list mailing list