lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040503221649.15766.qmail@web40408.mail.yahoo.com>
From: ecchien at yahoo.com (Eric Chien)
Subject: Sasser skips 10.x.x.x Why?

--- Frank Knobbe <frank@...bbe.us> wrote:
> On Mon, 2004-05-03 at 14:44, Eric Chien wrote:
> > Actually, it is all variants (.A - .D).  And more
> > specifically, it iterates through all the host IP
> > addresses looking for an address that does not
> match:
> > 127.0.0.1
> > 10.
> > 172.16 - 172.31 (inclusive)
> > 192.168.
> > 169.254
> > 
> > Then, using this address it creates a random
> address
> > (sometimes changing all octets, sometimes just the
> > last three, and sometimes just the last two).
> 
> Word has it that this is not true. While the code
> for the address check
> is there, it doesn't appear to work on some Sasser
> variants. There are
> reports of infected 10/8 and 192.168/16 networks. 

As stated above, the IP exclusions are applied to the
_host IP_ which is used as a base to randomly generate
a victim IP.  The victim IP can be a 10/8, 192.168/16,
etc. for example, in the case when all octets are
randomly generated.

When all of the _host_ IPs match the exclusion range,
127.0.0.1 is used as the base IP to randomly generate
the victim IP.

...Eric


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ