[Dshield] Mydoom, Navarg, Sco what ever

Johannes B. Ullrich jullrich at sans.org
Tue Jan 27 14:56:10 GMT 2004


On Tue, 2004-01-27 at 09:27, Mark Tombaugh wrote:
> On Monday 26 January 2004 10:09 pm, Johannes B. Ullrich wrote:
> > BTW: I have it running in a honeypot, and I don't see the SCO.com attack
> > so far. Has anybody on the list here seen this?
> 
> Any interesting results when you set the clock forward? If so, does it use DNS 
> to find sco.com? Also, I'm curious if the infected host responds to nmap 
> probes (tcp 3127 - 3198).

did try to set the clock forward. Doesn't help. not a single port 80
packet.

Yes, the infected host will show an open port 3127 with nmap.



-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040127/4e01d7d3/attachment.bin


More information about the list mailing list