[Dshield] Mydoom, Navarg, Sco what ever
Johannes B. Ullrich
jullrich at sans.org
Tue Jan 27 14:56:10 GMT 2004
On Tue, 2004-01-27 at 09:27, Mark Tombaugh wrote:
> On Monday 26 January 2004 10:09 pm, Johannes B. Ullrich wrote:
> > BTW: I have it running in a honeypot, and I don't see the SCO.com attack
> > so far. Has anybody on the list here seen this?
> Any interesting results when you set the clock forward? If so, does it use DNS
> to find sco.com? Also, I'm curious if the infected host responds to nmap
> probes (tcp 3127 - 3198).
did try to set the clock forward. Doesn't help. not a single port 80
Yes, the infected host will show an open port 3127 with nmap.
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040127/4e01d7d3/attachment.bin
More information about the list