lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Nov 2003 09:14:10 -0800
From: "David Gillett" <>
To: "'Jose Nazario'" <>,
	"'Jay D. Dyson'" <>
Cc: "'Bugtraq'" <>
Subject: RE: Router Worm?

  I've never seen it do that, in the about 50 or so instances
I've encountered.  Does it only do it occasionally?  Does it
attack the same host against which 135/tcp failed, or some
random third party?
  (Does it, perhaps, distinguish between 135/tcp "failed to 
connect" and 135/tcp "connected, but target was patched and
so could not be infected"?)

David Gillett

> -----Original Message-----
> From: Jose Nazario []
> Sent: November 19, 2003 17:06
> To: Jay D. Dyson
> Cc: Bugtraq
> Subject: Re: Router Worm?
> its welchia/nachi. when it can't connect via 135/tcp, it will 
> attempt an
> exploit against a webdav server (see MS03-007).
> i've seen an uptick in this in the past couple of days, too, 
> visible on a
> few httpd servers i track. and i, too, was caught off guard 
> until someone
> pointed out it was nachi to me. digging into the tech details 
> showed that
> i (and many of us) had been overlooking a secondary attack.
> ___________________________
> jose nazario, ph.d.

Powered by blists - more mailing lists