Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 30 Dec 2001 23:24:08 -0700
From:      "Chad R. Larson" <chad@DCFinc.com>
To:        Kutulu <kutulu@kutulu.org>
Cc:        Peter Ong <peter@haloflightleader.net>, "Julien B." <jbe@cpu.ath.cx>, freebsd-stable@FreeBSD.ORG
Subject:   Re: Trying NT Hacks
Message-ID:  <20011230232408.D27209@freeway.dcfinc.com>
In-Reply-To: <00f501c18f66$da8044c0$88682518@cc191573g>; from kutulu@kutulu.org on Thu, Dec 27, 2001 at 10:14:05PM -0800
References:  <013a01c18f48$f156cf20$0101a8c0@haloflightleader.net> <20011228035757.A99350@harimandir> <018901c18f4c$22402480$0101a8c0@haloflightleader.net> <00f501c18f66$da8044c0$88682518@cc191573g>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Dec 27, 2001 at 10:14:05PM -0800, Kutulu wrote:
> They are scanning.  Nimda doesn't just guess IP's, it tries
> every single IP in the entire subnet.  That is, if your IP
> address is 192.168.45.23 and you are inftected, your machine
> will loop through trying to connect (and infect) every IP
> address from 192.168.0.1 to 192.168.255.254.  This can be quite
> time-consuming (especially if many of those IP's are not
> online, or dropping packets aimed at port 80 without sending a
> RST).  But the worm isn't really concerned about the efficiency
> of the machine it infected, or the bandwidth it's wasting, so
> it turns out to be quite an effective way to spread.

I wonder if it would be worth the effort for CERT (or us'ns) to
write a script to be cron'd that works its way through the access
logs and e-mails "postmaster@xxxxxx" for each attempt to exploit a
known hole in M$ services.

This is a place where we UNIX users might be able to do the rest of
the world a service.

	-crl
--
Chad R. Larson (CRL15)   602-953-1392   Brother, can you paradigm?
chad@dcfinc.com         chad@larsons.org          larson1@home.com
DCF, Inc. - 14623 North 49th Place, Scottsdale, Arizona 85254-2207

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011230232408.D27209>