[Dshield] New Worm

Rohit Dhamankar rohitd at tippingpoint.com
Tue Aug 19 17:49:43 GMT 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has anyone seen the webDAV attack in action by the new Nachi worm ?
Rohit

- -----Original Message-----
From: Jon R. Kibler [mailto:Jon.Kibler at aset.com]
Sent: Tuesday, August 19, 2003 9:14 AM
To: General DShield Discussion List
Subject: Re: [Dshield] New Worm


BarkerJr wrote:
> 
> I'm not really sure about that.  Symantec's page says that it sends ICMP
> pings first.  So, if your firewall blocks ICMP pings, you shouldn't get a
> 135 from it.  Am I reading too much into it?
> 

We block pings (and just about everything else) at the firewall, but we
still get the 135/TCP probes from the same IP as well.

In fact the pattern appears to be:
	ping
	probe 135/TCP
	ping
	ping

But not always.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP0JjdHAfgHNgKPA3EQLXnACfWxB8rBIa1ht3Bj9s/vellb5N844AoMf2
gUMi7L8+G6xrE1WmRCnmWiGW
=eHLA
-----END PGP SIGNATURE-----



More information about the list mailing list