Fwd: Re: [Dshield] Mydoom, Navarg, Sco what ever

Mark Tombaugh mtombaugh at alliedcc.com
Tue Jan 27 14:36:40 GMT 2004


I think the snort sigs triggered some AV...

----------  Forwarded Message  ----------

Subject: Re: [Dshield] Mydoom, Navarg, Sco what ever
Date: Tuesday 27 January 2004 9:27 am
From: Mark Tombaugh <mtombaugh at alliedcc.com>
To: General DShield Discussion List <list at dshield.org>

On Monday 26 January 2004 10:09 pm, Johannes B. Ullrich wrote:
> BTW: I have it running in a honeypot, and I don't see the SCO.com attack
> so far. Has anybody on the list here seen this?

Any interesting results when you set the clock forward? If so, does it use
 DNS to find sco.com? Also, I'm curious if the infected host responds to nmap
 probes (tcp 3127 - 3198).

[snort-sigs snipped]

-- 
   Mark Tombaugh <mtombaugh at alliedcc.com>
   Allied Computer Corporation <http://www.alliedcc.com>
   USiHOST, iNC. <http://www.usihost.com>




More information about the list mailing list