lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 20 Mar 2004 19:25:22 +0200
From: Gadi Evron <ge@...tistical.reprehensible.net>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: The witty worm


Information can be found at: http://www.f-secure.com/v-descs/witty.shtml

According to that link the worm sends itself to 20K random IP's,

It's also on a repeat though.

To block it you need to block packets coming from UDP source port 4000.

I'd suggest blocking local port 4000, as well. This thing spreads fast 
and many networks probably send it out now too.

Example Cisco rule which shows how fast this thing spreads (from a 
network ran by a friend of mine, Scott McHenry):

deny udp any eq 4000 any (65 matches)
<20 seconds>
deny udp any eq 4000 any (77 matches)

	Gadi Evron.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ