[Dshield] ICMP increase

George Theall theall at tifaware.com
Tue Aug 19 19:48:06 GMT 2003


On Tue, Aug 19, 2003 at 09:19:54AM -0700, Bill McCarty wrote:

> I'm seeing the ICMP and web server probes. I've seen more than 200 such 
> probes in the last 9 hours. But, I don't see any associated attacks. So 
> far, this looks to me like a distributed scanner, rather than an worm.
> 
> The web server probe follows:
> 
> >GET / HTTP/1.1
> >Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
> >User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
> >Host: XXX.XXX.XXX.XXX
> >Connection: Keep-Alive

It appears this is just Welchi / Nachi / Welchia.  While most of the
write-ups don't mention it, F-Secure's claims it also tries to infect
IIS 5.0 web servers via a WebDAV exploit.  I imagine you don't see any
attacks because the worm detects the host is running something like
Apache.

F-Secure's write-up is at:

   http://www.f-secure.com/v-descs/welchi.shtml

George
-- 
theall at tifaware.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20030819/8873f351/attachment.bin


More information about the list mailing list