.ida worm followup
crispy at nic.umass.edu
Fri Jul 20 14:23:37 GMT 2001
Yesterday, after getting our first report of .ida like symptoms I blocked
the compromised hosts at our border. We cleaned the boxes and had the
admin patch them. I came in this morning and realized we had not removed
the acl to drop traffic from these hosts. The logs showed the boxes making
attempted connections to irc servers, which they should not be making.
I saw the same behavior from a couple of boxes earlier in the week
comrpomised via IIS-unicode...
I'm not onsite, so I can't verify the boxes, but may be something to
keep an eye out for...
Christopher Misra Network Analyst
OIT/Network Systems and Services LGRC A153
University of Massachusetts Amherst, MA 01003
E-mail: cmisra at nic.umass.edu
More information about the unisog