[Dshield] What should I do next

Jim Gifford maillist at jg555.com
Fri May 10 12:38:40 GMT 2002


I have sent him this information four times without a response. I just think
he is not interested. The wierd part is that it has happened almost everyday
at different times using the same IP's everytime.

----- Original Message -----
From: "Johannes B. Ullrich" <jullrich at sans.org>
To: <list at dshield.org>
Sent: Friday, May 10, 2002 4:32 AM
Subject: Re: [Dshield] What should I do next


>
> > May 9 10:12:03 server IPT: Hacker_root.exe: IN=eth0 OUT= MAC=
> > SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=112 TOS=0x00 PREC=0x00
TTL=111
> > ID=2054 DF PROTO=TCP SPT=3591 DPT=80 WINDOW=17520 RES=0x00 ACK PSH
URGP=0
>
> yet another Nimda infected host in the neighborhood. The owner
> may be more interested in cleaning it up if you tell them that
> the system is probably wide open by now and any information on
> it can be read by anybody. It probably will soon have a couple
> additional backdoors installed and could be used by anybody to
> break into further systems.
>
> --
> -------
> jullrich at sans.org                    Join http://www.DShield.org
>                           Distributed Intrusion Detection System
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list