[Dshield] NetSky observation

Pete Cap peteoutside at yahoo.com
Fri Feb 20 15:57:05 GMT 2004

Hey Jayjwa,
Anything singular about the packet trace or is it just your typical SYN?


jayjwa <jayjwa at atr2.ath.cx> wrote:

On Thu, 19 Feb 2004, Paul Marsh wrote:
> I've seen it in a long time. Yesterday 5 viri stopped at my perimeter
> today it's stopped 2. How is everyone else making out, has it quieted
> down? I read some where (can't remember where) that it's possible that
> NetSky was created by an AV insider? Is NetSky a good worm or are we
> just waiting for the second shoe to drop?

Very quite here worm-wise, but what I AM seeing is ALOT of people scanning
for MyDoom ports, most likely due to the client for the MyDoom proxy being
released, in executable form no less. That gives the kids something to
play with, I see the same patterns hitting the Doom ports, over and over
and over... It's really amazing how frequently- I dare say port 3127 gets
probed at least 3-4 times a minute. I got a good packet dump yesterday.

%jayjwa% RLF#37 "Gnu for ALL. SCO Never."
Vx_Labs Research Group @ Atr2
PGP Key-Fetch: B628B851
Jung xvaqn jnpxb qrpbqrf ebg13 sebz fvtf ?

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.

More information about the list mailing list