[Dshield] New variant of Blaster?
Funk Jr, Joseph C.
jcfunkjr at co.bucks.pa.us
Thu Jun 17 14:51:05 GMT 2004
As far as MAC addy goes. Can you span the switch ports and Cap the
traffic, I'm assuming your saying that it's local (meaning a compromised
PC internally is passing this traffic) than you may get the mac
(provided it ain't spoofed as well). Of course if it's external, (or
even internal but on another LAN since the IP is bad), you don't have an
option of getting the mac. I couldn't say myself if it's a new blaster
variant though. However, it would seem reasonable enough that it could
be a lot of things seeing how common it is to use port 80 as the source
to pass firewall filters, as well as spoof 127.0.0.1.
From: Security Guy [mailto:securityguy at dslextreme.com]
Sent: Wednesday, June 16, 2004 6:00 PM
To: list at dshield.org
Subject: [Dshield] New variant of Blaster?
We're getting a lot of what looks like Blaster (spoofs 127.0.0.1, attack
port is always 80, random high number victim port) but it's not setting
the Blaster signatures already loaded into the IDS. The problem is that
lame IDS doesn't give us a MAC address - just the loopback adaptor
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list