[Dshield] infocon: yellow

Richard Golodner RGolodner at Aetea.com
Mon Aug 11 19:45:52 GMT 2003


Firewall logs yes, but not our NT logs as the connection attempts are being
dropped. I guess for some patching maybe to late. this list has saved my
company and myself a lot of headaches. Thanks Johannes.

-----Original Message-----
From: Mark Squire [mailto:msquire at lagraphico.com]
Sent: Monday, August 11, 2003 3:39 PM
To: General DShield Discussion List
Subject: RE: [Dshield] infocon: yellow


Is this showing up in anyone's event logs?  Just curious.

> -----Original Message-----
> From: Korhonen Juuso [mailto:juuso.korhonen at camline.fi] 
> Sent: Monday, August 11, 2003 12:23 PM
> To: 'General DShield Discussion List'
> Subject: RE: [Dshield] infocon: yellow
> 
> 
> 
> Confirmed from Finland also. Getting hits to 135 with rate 
> 5/sec. Also seeing huge increase to 137.
> 
> 
> 
> Best Regards
> 
> Juuso
> 
> Radiant, sir, radiant 
> 
> 
> 
> 
> -----Original Message-----
> From: Richard Golodner [mailto:RGolodner at Aetea.com]
> Sent: 11. elokuuta 2003 22:04
> To: 'General DShield Discussion List'
> Subject: RE: [Dshield] infocon: yellow
> 
> 
> We are seeing a 10x increase in scans for port 135 begining 
> at 1400 Eastern Time. Top Four Netblocks 61.43.222.214 
> 65.30.70.92 198.142.176.27 212.27.213.168
> 			Richard
> 
> -----Original Message-----
> From: Paul Marsh [mailto:pmarsh at nmefdn.org]
> Sent: Monday, August 11, 2003 2:44 PM
> To: General DShield Discussion List
> Subject: RE: [Dshield] infocon: yellow
> 
> 
> Looks like it's starting, I'm getting blasted with them.
> 
> -----Original Message-----
> From: Johannes B. Ullrich [mailto:jullrich at sans.org]
> Sent: Monday, August 11, 2003 2:24 PM
> To: list at dshield.org
> Subject: [Dshield] infocon: yellow
> 
> 
> This message was converted from multipart/signed to ascii 
> armored -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
> 
> We just got a binary that looks very much like an
> RPC worm. It scans for port 135. No real idea what it does 
> (other than scanning).
> 
> Strings from the file:
> 
> msblast.exe
> I just want to say LOVE YOU SAN!!
> billy gates why do you make this possible ? 
>  Stop making money and fix your software
> windowsupdate.com
> 
> BILLY
> windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> tftp -i %s GET %s
> 
> 
> 
> 
> -- 
> SANS - Internet Storm Center
> http://isc.sans.org
> PGP Key: http://isc.sans.org/jullrich.txt
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
> FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----
> 
> --
> SHA1
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 
> **************************************************************
> **************
> This message has been scanned by F-Secure Anti-Virus for 
> Microsoft Exchange.
> **************************************************************
> **************
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list