From owner-freebsd-stable Thu Dec 27 19:22:25 2001 Delivered-To: freebsd-stable@freebsd.org Received: from pr0n.kutulu.org (pr0n.kutulu.org [151.196.107.157]) by hub.freebsd.org (Postfix) with ESMTP id 2B67B37B405 for ; Thu, 27 Dec 2001 19:22:23 -0800 (PST) Received: from cc191573g (cc191573-g.longhill1.md.home.com [24.37.104.136]) by pr0n.kutulu.org (Postfix) with SMTP id F20EF104; Thu, 27 Dec 2001 22:24:11 -0500 (EST) Message-ID: <00f501c18f66$da8044c0$88682518@cc191573g> From: "Kutulu" To: "Peter Ong" , "Julien B." Cc: References: <013a01c18f48$f156cf20$0101a8c0@haloflightleader.net> <20011228035757.A99350@harimandir> <018901c18f4c$22402480$0101a8c0@haloflightleader.net> Subject: Re: Trying NT Hacks Date: Thu, 27 Dec 2001 22:14:05 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG From: "Peter Ong" Sent: Thursday, December 27, 2001 7:02 PM Subject: Re: Trying NT Hacks > Really... I just wonder how they figure out the IPs, other than randomly > guessing. Someone did mention that, and I guess there really aren't that > many IP addresses that a computer could randomly generate in a short amount > of time without covering the whole spectrum. They are scanning. Nimda doesn't just guess IP's, it tries every single IP in the entire subnet. That is, if your IP address is 192.168.45.23 and you are inftected, your machine will loop through trying to connect (and infect) every IP address from 192.168.0.1 to 192.168.255.254. This can be quite time-consuming (especially if many of those IP's are not online, or dropping packets aimed at port 80 without sending a RST). But the worm isn't really concerned about the efficiency of the machine it infected, or the bandwidth it's wasting, so it turns out to be quite an effective way to spread. --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message