[Dshield] infocon: yellow

George Siegel ges at gesls.net
Mon Aug 11 19:23:43 GMT 2003


I received 55 scans from 14:22 to 14:52
----- Original Message -----
From: "Richard Golodner" <RGolodner at Aetea.com>
To: "'General DShield Discussion List'" <list at dshield.org>
Sent: Monday, August 11, 2003 3:04 PM
Subject: RE: [Dshield] infocon: yellow


> We are seeing a 10x increase in scans for port 135 begining at 1400
Eastern
> Time.
> Top Four Netblocks
> 61.43.222.214
> 65.30.70.92
> 198.142.176.27
> 212.27.213.168
> Richard
>
> -----Original Message-----
> From: Paul Marsh [mailto:pmarsh at nmefdn.org]
> Sent: Monday, August 11, 2003 2:44 PM
> To: General DShield Discussion List
> Subject: RE: [Dshield] infocon: yellow
>
>
> Looks like it's starting, I'm getting blasted with them.
>
> -----Original Message-----
> From: Johannes B. Ullrich [mailto:jullrich at sans.org]
> Sent: Monday, August 11, 2003 2:24 PM
> To: list at dshield.org
> Subject: [Dshield] infocon: yellow
>
>
> This message was converted from multipart/signed to ascii armored
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
>
> We just got a binary that looks very much like an
> RPC worm. It scans for port 135. No real idea what it does (other than
> scanning).
>
> Strings from the file:
>
> msblast.exe
> I just want to say LOVE YOU SAN!!
> billy gates why do you make this possible ?
>  Stop making money and fix your software
> windowsupdate.com
>
> BILLY
> windows auto update
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> tftp -i %s GET %s
>
>
>
>
> --
> SANS - Internet Storm Center
> http://isc.sans.org
> PGP Key: http://isc.sans.org/jullrich.txt
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
> FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----
>
> --
> SHA1
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>
>




More information about the list mailing list