[Dshield] infocon: yellow

Jonathan Rickman jonathan at xcorps.net
Mon Aug 11 22:40:22 GMT 2003


On Monday 11 August 2003 18:26, Blake McNeill wrote:
> Are you sure this is the worm as its the same as my capture from last
> night, but there are some people saying that this is just the
> xfocus/metasploit scan (which I disagree with), as I have gotten far too
> many of these since then to be anything other then the worm.

I confirmed (well, as best I could) that the source was infected immediately 
after capture by scanning 4444 with an nmap tcp connect scan.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net





More information about the list mailing list