[Dshield] ping DoS?

George Theall theall at tifaware.com
Mon Aug 18 20:23:01 GMT 2003

On Mon, Aug 18, 2003 at 04:16:16PM -0400, George Theall wrote:

> I'm a bit perplexed...  The descriptions of this new worm from Symantec,
> McAfee, CERT, DShield, etc don't mention http yet I'm seeing a large
> number of ICMP echo requests with 0xAA as data followed shortly by http
> GETs to port 80 (if open) with the user-agent always "Mozilla/4.0
> (compatible; MSIE 5.5; Windows 98)". 

Sorry to follow-up on my own post, but many of the write-ups are
omitting this detail.  One that's not is from F-Secure:


>From that: "In addition, Welchi will attempt to infect IIS 5.0 web
servers via WebDAV exploit."

theall at tifaware.com

More information about the list mailing list