| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tcpdumb at pentiumbuster.homelinux.com (tcpdumb) Subject: possible MS03-026 worm? On Sat, 2 Aug 2003 11:58:00 -0500 "mobly99" <dhopper@...ritech.net> wrote: > Seems to be a possible worm based on the RPC/DCOM exploit making the > rounds? Definetly. Depending on the logfiles from our Firewall at work, there must be something out there. Infected machines found at: 156.34.222.0/24 194.96.90.0/24 196.30.232.0/24 200.0.0.0/8 202.0.0.0/8 and so on. Their traffic is about 50-75% of a day's traffic. Fortunately without any damage to our systems. The worm seems to check hosts with a funny ryhtm within a Subnet: IP=123.123.123.1 $IP+5 $IP+1 $IP+4 $IP+2 $IP+3 $IP+3 $IP+2 $IP+4 $IP+1 $IP+5 ... ... Dunno why but I found it out reading the 24h output of our Firewall. The coder must be stupid/[totally stoned] or simply made a mistake coding the loops for scanning. Strange thing, Lukas > puts these files in %systemdrive% > rpc.exe > rpctest.exe > tftpd.exe > worm.exe > lolx.exe > > also in %windir%\system32 > lolx.exe > dcomx.exe > > rpc.exe and dcomx.exe appear in the running tasks. > > > I pulled samples of them and submitted to SARC. > > > -Dave >
Powered by blists - more mailing lists