[unisog] Worm exploiting Symantec client defect?????

John Ives jives at security.berkeley.edu
Mon Nov 27 23:29:37 GMT 2006

I have tried to join ren-isac by using the instructions at
http://www.ren-isac.net/membership.html and never got a response to my
email.  A co-worker tried calling their watch desk after we received one
report and had similar results. 

As for the symantec exploit, we had a big push to get people to update
when we became aware of the problem in May and for the most part we
haven't had too much of a problem.  Also about two weeks ago we had
someone sweep through campus looking for boxes to exploit with this
(they found less than a dozen), which where (for the most part)
subsequently cleaned up before this latest wave (though I have seen a
lot of inbound attacks). 


Russell Fulton wrote:
> Gary,
> There has been discussion on the ren-isac IRC channel this morning with
> a couple of sites reporting finding machines scanning on 2967.   It
> isn't clear if these are newly compromised using this vulnerability or
> whether they were part of an existing bot net but by the time they were
> found scanning they were definitely controlled by an IRC based bot net.
> >From looking at the graph on the ISC site I'd guess that this isn't a
> worm, rather it is existing bots being commanded to scan for 2967.
> BTW I would urge any university security folk who have not yet done so
> to join REN-ISAC.  They are producing great intelligence in a timely
> manner.  http://www.ren-isac.net/
> Cheers, Russell.
> Gary Flynn wrote:
>> Anyone know anything more about what SANS
>> is reporting on this?
>> http://isc.sans.org//index.php
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

John Ives                                           Phone (510) 642-7773
GSEC, GCIH, GCWN                                     Cell (510) 229-8676
System & Network Security
University of California, Berkeley

"If you spend more on coffee than on IT security, then you will be 
hacked. What's more, you deserve to be hacked."

Richard Clarke
(Former Special Advisor to the President on Cybersecurity) 

More information about the unisog mailing list