[Dshield] Possible variant of Blaster/Nachi/Welchia?

Jeff Kell jeff-kell at utc.edu
Fri Sep 26 15:25:18 GMT 2003


I have seen some STRANGE traffic on our dorms this morning.  The dorms 
are all on a private network 172.18.0.0.  I have hosts (10 so far) that 
are doing this:

    spoofed 172.x.x.x:123 UDP --> random 172.x.x.x:123
same spoof 172.x.x.x ICMP --> another random 172.x.x.x
same spoof 172.x.x.x ICMP --> another random 172.x.x.x

About once or twice a minute the ICMPs continue, but the UDP isn't repeated.

It appears to be spreading (new machines showing up doing the same 
thing).  Any ideas, clues, ring any bells?

Jeff






More information about the list mailing list