| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1138233942.38938.56.camel@localhost> Date: Thu Jan 26 00:05:57 2006 From: frank at knobbe.us (Frank Knobbe) Subject: Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included) On Wed, 2006-01-25 at 17:54 -0600, Kevin wrote: > Is there anything unique about the URL for the request BlackWorm makes > towards "webstats.web.rcn.net", such as the arguments to df= ? The worm accesses a unique number after the df=. If you supply a differnet number, you access (or create) a different counter. df=testme also qualifies as a counter. Strangely, ?dfudge=xxx also works. I guess the script only checks for df and ignores anything after that. df = data file? Anyway... if the numbers are different, you may have other applications/viruses/things than the Nymex accessing a different counter. Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060125/f50fac58/attachment.bin
Powered by blists - more mailing lists