[Dshield] New variant of Blaster?

Funk Jr, Joseph C. jcfunkjr at co.bucks.pa.us
Thu Jun 17 14:51:05 GMT 2004


As far as MAC addy goes. Can you span the switch ports and Cap the
traffic, I'm assuming your saying that it's local (meaning a compromised
PC internally is passing this traffic) than you may get the mac
(provided it ain't spoofed as well).  Of course if it's external, (or
even internal but on another LAN since the IP is bad), you don't have an
option of getting the mac.  I couldn't say myself if it's a new blaster
variant though.  However, it would seem reasonable enough that it could
be a lot of things seeing how common it is to use port 80 as the source
to pass firewall filters, as well as spoof 127.0.0.1.





-----Original Message-----
From: Security Guy [mailto:securityguy at dslextreme.com] 
Sent: Wednesday, June 16, 2004 6:00 PM
To: list at dshield.org
Subject: [Dshield] New variant of Blaster?

We're getting a lot of what looks like Blaster (spoofs 127.0.0.1, attack
port is always 80, random high number victim port) but it's not setting
off
the Blaster signatures already loaded into the IDS.  The problem is that
our
lame IDS doesn't give us a MAC address - just the loopback adaptor
address.

Any suggestions?

- SG

_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list