[Dshield] ping DoS?

George Theall theall at tifaware.com
Mon Aug 18 20:16:16 GMT 2003

On Mon, Aug 18, 2003 at 02:01:42PM -0400, Matthew Harrell wrote:

> It does appear to be what Symantec calls Welchia, a new worm using the RPC
> vulnerability.  The files dllhost.exe and svchost.exe (tftp server) are
> installed into %systemdirectory%\wins.

I'm a bit perplexed...  The descriptions of this new worm from Symantec,
McAfee, CERT, DShield, etc don't mention http yet I'm seeing a large
number of ICMP echo requests with 0xAA as data followed shortly by http
GETs to port 80 (if open) with the user-agent always "Mozilla/4.0
(compatible; MSIE 5.5; Windows 98)". 

Is anyone else seeing this pattern of behaviour? Are the write-ups 
omitting this? Or is there something else going around that's gathering
info for an attack on web servers?

theall at tifaware.com

More information about the list mailing list