[Dshield] Different Nachi/msblast probe pattern?
jsage at finchhaven.com
Thu Sep 11 17:32:18 GMT 2003
On Thu, Sep 11, 2003 at 08:57:50AM -0700, ALEPH0 wrote:
> msblast was programmed to cripple yesterday (give or take timezones and
> misconfigured desktop clocks), the 10th. There is always someone out there
> who will modify it on the 11th to put more spin on the wheel, usually
> amateurish and basic modifications of the original.
I do beleive that it's SoBig variant F that's turned off.
I've found it helpful to look at source IP's that have probed one port
to see what they are doing, overall..
So is this a new signature of anything, or just some oddball variant:
Nachii ping, msblast SYN and first packets, UDP:137 request, and a
Nachii ping or two...
Seen several now, only recently.
ABCD, EFGH, IJKL, EmEnOh, Plus+, Minus-
Vashon Island, (the other) WA
More information about the list