[unisog] http://www.f-secure.com/news/items/news_2003082200.shtml

Dave Ellingsberg dave.ellingsberg at csu.mnscu.edu
Fri Aug 22 18:38:24 GMT 2003


----BEGIN PGP SIGNED MESSAGE-----


Computers infected with the Sobig.F worm are programmed
to automatically download an executable of unknown function
from a hard-coded list of servers at 19:00 UTC (3:00pm EDT)
X-Force is recommending wholesale outbound filtering of 
the following IP addresses:

67.73.21.6
68.38.159.161
67.9.241.67
66.131.207.81
65.177.240.194
65.93.81.59
65.95.193.138
65.92.186.145
63.250.82.87
65.92.80.218
61.38.187.59
24.210.182.156
24.202.91.43
24.206.75.137
24.197.143.132
12.158.102.205
24.33.66.38
218.147.164.29
12.232.104.221
68.50.208.96

The request method uses UDP port 8998. X-Force also 
recommends that this port be filtered outbound.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBP0YzgjRfJiV99eG9AQHFOQQAmOqrfkuaHasHbFihyTT7cEpd3VxXgruj
ibQVTsU4bHBehRsh68l3msQW+W+CgWnbkqxP8YGt5kE5CPJjYJX8yoh6t+s78Qh0
A5eMOc/1THSoaGpjsQpDyqb0LPG0KHkMFp++wb+uGp2CSReif6aGK78vms0L8xQ7
y+pgcFa7fCk=
=b7y9
-----END PGP SIGNATURE-----


>>> Mike Iglesias <iglesias at draco.acs.uci.edu> 8/22/2003 11:42:19 AM
>>>
> http://www.f-secure.com/news/items/news_2003082200.shtml 

It would be nice to get the list of 20 "pre-hacked" machines that
Sobig-F
is going to contact so people can block them at their border router.
Anyone have the list?


Mike Iglesias                          Email:      
iglesias at draco.acs.uci.edu 
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069



More information about the unisog mailing list