[Dshield] Different Nachi/msblast probe pattern?

John Sage jsage at finchhaven.com
Thu Sep 11 17:32:18 GMT 2003


On Thu, Sep 11, 2003 at 08:57:50AM -0700, ALEPH0 wrote:
> msblast was programmed to cripple yesterday (give or take timezones and
> misconfigured desktop clocks), the 10th.  There is always someone out there
> who will modify it on the 11th to put more spin on the wheel, usually
> amateurish and basic modifications of the original.

I do beleive that it's SoBig variant F that's turned off.

I've found it helpful to look at source IP's that have probed one port
to see what they are doing, overall..

So is this a new signature of anything, or just some oddball variant:

Nachii ping, msblast SYN and first packets, UDP:137 request, and a
Nachii ping or two...

Seen several now, only recently.



- John
-- 
John Sage
InfoSec Groupie

ABCD, EFGH, IJKL, EmEnOh, Plus+, Minus-
http://www.finchhaven.com/
Vashon Island, (the other) WA




More information about the list mailing list