[Dshield] ping DoS?

George Theall theall at tifaware.com
Mon Aug 18 20:23:01 GMT 2003


On Mon, Aug 18, 2003 at 04:16:16PM -0400, George Theall wrote:

> I'm a bit perplexed...  The descriptions of this new worm from Symantec,
> McAfee, CERT, DShield, etc don't mention http yet I'm seeing a large
> number of ICMP echo requests with 0xAA as data followed shortly by http
> GETs to port 80 (if open) with the user-agent always "Mozilla/4.0
> (compatible; MSIE 5.5; Windows 98)". 

Sorry to follow-up on my own post, but many of the write-ups are
omitting this detail.  One that's not is from F-Secure:

   http://www.f-secure.com/v-descs/welchi.shtml

>From that: "In addition, Welchi will attempt to infect IIS 5.0 web
servers via WebDAV exploit."

George
-- 
theall at tifaware.com




More information about the list mailing list