[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030920204140.C617C6934@mdev.river.com>
From: rnews at whirlpool.river.com (Richard Johnson)
Subject: Probable new MS DCOM RPC worm for Windows
We've noticed increased scan activity on port 135, ramping up over the
past 20 hours.
The scanning appears to concentrate on nearby /16s. For example, when
the source host has IP in 10.117.68.0/24, we've seen scanning of at
least single /24s within 10.114.0.0/16, 10.118.0.0/16 and
10.116.0.0/16, and nowhere else yet.
We've also had 2nd-hand reports of svchost.exe being killed on hosts
being attacked, causing downloading patches during the attack to fail.
Also, at least two dialup links are being flooded into uselessness by
the scan traffic from others nearby.
Richard
-------
Example headers:
Sep 19 17:21:48.356841 0800 62: 10.117.68.93.1912 > 10.114.18.21.135: S 2922514106:2922514106(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
...
Sep 19 20:35:19.248342 0800 62: 10.117.68.81.2195 > 10.118.2.146.135: S 1536913838:1536913838(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
...
Sep 20 13:55:15.440811 0800 62: 10.117.68.50.1914 > 10.116.132.184.135: S 3274268792:3274268792(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
--
To reply via email, make sure you don't enter the whirlpool on river left.
My mailbox. My property. My personal space. My rules. Deal with it.
http://www.river.com/users/share/cluetrain/
Powered by blists - more mailing lists