lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: ddh at mtu.edu (David Hale)
Subject: Re: Outbreak of a virus on campus

  Most folks should probably change the sid number to something above
1000000 to comply with snort standards.   My sid number was fairly
random based off the first number that came to my head.

  -Dave Hale
   Sr. Security Specialist
   Michigan Technological University


>   We have currently blocked connections to port to/from 7000 on the
> following hosts:
>
> 130.74.82.206
> 131.234.100.43
> 193.87.20.31
>
>   This seems to have contained the spread of the worm within our campus.
> The list of hosts was gathered with a snort signature of:
>
> alert tcp $HOME_NET any -> any 7000 (msg:"agobot IRC traffic";
> content:"weednet";classtype:bad-unknown; sid:71727; rev:1;)
>
>   Until the block was in place we had shut down around 50 hosts (mainly on
> our dorm network) that had been infected with the worm.
>
>   -Dave Hale
>    Sr. Security Specialist
>    Michigan Technological University
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ