[Dshield] Different Nachi/msblast probe pattern?

John Sage jsage at finchhaven.com
Thu Sep 11 17:32:18 GMT 2003

On Thu, Sep 11, 2003 at 08:57:50AM -0700, ALEPH0 wrote:
> msblast was programmed to cripple yesterday (give or take timezones and
> misconfigured desktop clocks), the 10th.  There is always someone out there
> who will modify it on the 11th to put more spin on the wheel, usually
> amateurish and basic modifications of the original.

I do beleive that it's SoBig variant F that's turned off.

I've found it helpful to look at source IP's that have probed one port
to see what they are doing, overall..

So is this a new signature of anything, or just some oddball variant:

Nachii ping, msblast SYN and first packets, UDP:137 request, and a
Nachii ping or two...

Seen several now, only recently.

- John
John Sage
InfoSec Groupie

ABCD, EFGH, IJKL, EmEnOh, Plus+, Minus-
Vashon Island, (the other) WA

More information about the list mailing list