[Dshield] ping DoS?

Roberts, Chris CRoberts at Limitedbrands.com
Mon Aug 18 19:20:30 GMT 2003


yep, finding these, but it seems that in a couple of the cases we have
isolated the patch, and removal of these files still leaves the system
sitting there (after a couple of reboots, threats, and a possible axe in the
cd drive)with tcp_probe_msrpc

Thoughts anyone 

Chris


-----Original Message-----
From: Matthew Harrell [mailto:mhar at plex.com]
Sent: Monday, August 18, 2003 2:02 PM
To: General DShield Discussion List
Subject: RE: [Dshield] ping DoS?


It does appear to be what Symantec calls Welchia, a new worm using the RPC
vulnerability.  The files dllhost.exe and svchost.exe (tftp server) are
installed into %systemdirectory%\wins.


-----------------
Matt Harrell
Plexus Systems
mhar at plex.com 

----- On 8/18/2003 1:49 PM, CRoberts at limitedbrands.com wrote: 
>We are having major internal problems with this today, infected machined
> (NEWLY infected ones) TCP_Probe_MSRPC ones)
> 
> new variant ? (was all quiet from Friday until this morning)
> 
> -----Original Message-----
> From: Matthew Harrell [mailto:mhar at plex.com]
> Sent: Monday, August 18, 2003 12:47 PM
> To: Dshield Mailing List
> Subject: [Dshield] ping DoS?
> 
> 
> At about 12:15 PM today, our internal WAN (includes multiple customers on
> their own subnets) seems to have been hit by some kind of ping DoS worm. 
> In my firewall logs, I saw HUGE amounts of pings coming from multiple
hosts
> in all (or at least most) of our internal subnets.  The pings seem to
> target nearby subnets (192.168.x.x, and some 192.165.x.x are what I saw
> most of).  We are running Symantec Enterprise Firewall, which has a ping
> proxy.  This proxy on both firewalls was overwhelmed, and this resulted in
> a practical DoS on our ASP servers.  I added a ping deny filter on the
> internal interfaces on our firewalls, and things are accessible now, but
> we're still working on tracing down these pings.  Does anyone know of a
> worm, or anything else, that would do this?
> 
> 
> -----------------
> Matt Harrell
> Plexus Systems
> mhar at plex.com 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
> 
> 
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list