[unisog] http://www.f-secure.com/news/items/news_2003082200.shtml

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Aug 22 18:45:40 GMT 2003


On Fri, 22 Aug 2003 09:42:19 PDT, Mike Iglesias said:
> > http://www.f-secure.com/news/items/news_2003082200.shtml
> 
> It would be nice to get the list of 20 "pre-hacked" machines that Sobig-F
> is going to contact so people can block them at their border router.
> Anyone have the list?

Apparently half have been taken down already, but only 1 needs to be up to
make things bad.

Also, a router ACL only means any of YOUR boxes won't phone home - we don't
know yet what will be inbound from infected machines that do make it home...

------
Computers infected with the Sobig.F worm are programmed
to automatically download an executable of unknown function
from a hard-coded list of servers at 19:00 UTC (3:00pm EDT)
X-Force is recommending wholesale outbound filtering of
the following IP addresses:

67.73.21.6
68.38.159.161
67.9.241.67
66.131.207.81
65.177.240.194
65.93.81.59
65.95.193.138
65.92.186.145
63.250.82.87
65.92.80.218
61.38.187.59
24.210.182.156
24.202.91.43
24.206.75.137
24.197.143.132
12.158.102.205
24.33.66.38
218.147.164.29
12.232.104.221
68.50.208.96

The request method uses UDP port 8998. X-Force also
recommends that this port be filtered outbound.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20030822/d9b49c6b/attachment-0003.bin


More information about the unisog mailing list