.ida worm followup

Christopher Misra crispy at nic.umass.edu
Fri Jul 20 14:23:37 GMT 2001


Yesterday, after getting our first report of .ida like symptoms I blocked
the compromised hosts at our border. We cleaned the boxes and had the 
admin patch them. I came in this morning and realized we had not removed
the acl to drop traffic from these hosts. The logs showed the boxes making
attempted connections to irc servers, which they should not be making. 
I saw the same behavior from a couple of boxes earlier in the week
comrpomised via IIS-unicode...

I'm not onsite, so I can't verify the boxes, but may be something to 
keep an eye out for...

				- Chris

Christopher Misra                                    Network Analyst 
OIT/Network Systems and Services                        LGRC A153
University of Massachusetts                         Amherst, MA  01003
E-mail: cmisra at nic.umass.edu

More information about the unisog mailing list