|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Router Worm?
From: David Gillett (gillettdavid
fhda.edu)
Date: Thu Nov 20 2003 - 11:14:10 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I've never seen it do that, in the about 50 or so instances
I've encountered. Does it only do it occasionally? Does it
attack the same host against which 135/tcp failed, or some
random third party?
(Does it, perhaps, distinguish between 135/tcp "failed to
connect" and 135/tcp "connected, but target was patched and
so could not be infected"?)
David Gillett
> -----Original Message-----
> From: Jose Nazario [mailto:josemonkey.org]
> Sent: November 19, 2003 17:06
> To: Jay D. Dyson
> Cc: Bugtraq
> Subject: Re: Router Worm?
>
>
> its welchia/nachi. when it can't connect via 135/tcp, it will
> attempt an
> exploit against a webdav server (see MS03-007).
>
> i've seen an uptick in this in the past couple of days, too,
> visible on a
> few httpd servers i track. and i, too, was caught off guard
> until someone
> pointed out it was nachi to me. digging into the tech details
> showed that
> i (and many of us) had been overlooking a secondary attack.
>
> ___________________________
> jose nazario, ph.d. josemonkey.org
> http://monkey.org/~jose/
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]