lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20040119174031.6d492b09@codeine.the-penguin.org.uk>
From: zen32689 at zen.co.uk (George Adamopoulos)
Subject: Reverse http traffic revisited

On 18 Jan 2004 01:12:17 -0800
"Daniel H. Renner" <dan@...angelescomputerhelp.com> wrote:

> ICMP PING CyberKit 2.2 Windows

This is how snort detects blaster's/nachi's attempts to ping an IP in order to check if it's alive, before trying to connect to port 80. Could be another variation of the blaster worm.I would check (Also snort may detect Cyberkit's 2.2 packets as well, but i suppose that is something you would know of). If the packets are incoming, it is a normal thing that i witness in snort's logs as well very often. Actually, i have removed the rule from snort's rulesets, because it used to fill my logs with cyberkit attempts :P. If it is outgoing traffic, i would suggest that you should run trend's housecall (free online antivirus) on the windows servers/workstations of your network.

Also... gateway.dll is because of msn chat. If you add a deny acl for gateway.dll in your squid.conf, your workstations won't be able to use msn chat any more.

Giorgos Adamopoulos

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ