[Dshield] Possible variant of Blaster/Nachi/Welchia?

Deb Hale haled at pionet.net
Fri Sep 26 15:58:57 GMT 2003


According to this write up - port 123 is used for network time protocol.  It
shows a 123 to 123 as a Query or response between two servers.  My question
is, is your network syncing with the spoofed IP and if it is, why?  

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Jeff Kell
Sent: Friday, September 26, 2003 10:25 AM
To: Incidents; General DShield Discussion List
Subject: [Dshield] Possible variant of Blaster/Nachi/Welchia?

I have seen some STRANGE traffic on our dorms this morning.  The dorms 
are all on a private network  I have hosts (10 so far) that 
are doing this:

    spoofed 172.x.x.x:123 UDP --> random 172.x.x.x:123
same spoof 172.x.x.x ICMP --> another random 172.x.x.x
same spoof 172.x.x.x ICMP --> another random 172.x.x.x

About once or twice a minute the ICMPs continue, but the UDP isn't repeated.

It appears to be spreading (new machines showing up doing the same 
thing).  Any ideas, clues, ring any bells?


list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list