[Dshield] Mydoom, Navarg, Sco what ever

Mark Tombaugh mtombaugh at alliedcc.com
Tue Jan 27 14:27:36 GMT 2004


On Monday 26 January 2004 10:09 pm, Johannes B. Ullrich wrote:
> BTW: I have it running in a honeypot, and I don't see the SCO.com attack
> so far. Has anybody on the list here seen this?

Any interesting results when you set the clock forward? If so, does it use DNS 
to find sco.com? Also, I'm curious if the infected host responds to nmap 
probes (tcp 3127 - 3198).

Lastly, has anyone tried these yet?

alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"Outbound
W32.Novarg.A worm";
content:"TVqQAAMAAAAEAAAA";content:"8AALgAAAAAAAAAQ";distance:2;within:20;content:"UEUA..AEwBAW";
content:"DgAA8BCwEHAABQAAAAE";distance:16;within:40;content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA";
content:"ACAAADg";distance:16;within:30;reference:url,www.cert.org/incident_notes/IN-2004-01.html;
sid:696969;classtype:successful-admin;)

alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"Outbound W32.Novarg.A 
worm";
content:"|73 65 6e 74 20 61 73 20 61 20 62 69 6e 61 72 79|";content:"|41
41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 
41|";distance:224;reference:url,www.cert.org/incident_notes/IN-2004-01.html;
sid:696969;classtype:successful-admin;)

I just installed them on campus, still quiet...

maybe alert tcp any any -> any 25 etc...
damn ice storm, no coffee....

-- 
   Mark Tombaugh <mtombaugh at alliedcc.com>
   Allied Computer Corporation <http://www.alliedcc.com>
   USiHOST, iNC. <http://www.usihost.com>





More information about the list mailing list