| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ecchien at yahoo.com (Eric Chien) Subject: Sasser skips 10.x.x.x Why? --- Frank Knobbe <frank@...bbe.us> wrote: > On Mon, 2004-05-03 at 14:44, Eric Chien wrote: > > Actually, it is all variants (.A - .D). And more > > specifically, it iterates through all the host IP > > addresses looking for an address that does not > match: > > 127.0.0.1 > > 10. > > 172.16 - 172.31 (inclusive) > > 192.168. > > 169.254 > > > > Then, using this address it creates a random > address > > (sometimes changing all octets, sometimes just the > > last three, and sometimes just the last two). > > Word has it that this is not true. While the code > for the address check > is there, it doesn't appear to work on some Sasser > variants. There are > reports of infected 10/8 and 192.168/16 networks. As stated above, the IP exclusions are applied to the _host IP_ which is used as a base to randomly generate a victim IP. The victim IP can be a 10/8, 192.168/16, etc. for example, in the case when all octets are randomly generated. When all of the _host_ IPs match the exclusion range, 127.0.0.1 is used as the base IP to randomly generate the victim IP. ...Eric
Powered by blists - more mailing lists