|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: Sun Jan 26 2003 - 15:21:44 CST
> Pardon my delurk, but this is very strange worm behavior. We are seeing
> 100 SQL Worms per second from a single IP address on Telstra. This is
> about 10k times the level of activity we are seeing from any other
> address.
That is certainly odd.
> Anyone here either know anyone at Telstra who can shut this off, or
> perhaps at least some explanation of why this worm instance would set
> aside its usual randomish behavior and flood us like this?
There seems to be a major weakness in the scanning pattern of this worm that
makes it flood some addresses far more extensively than others. Considering
that the entire 'random' generator is just a trivial bit shift of the system
timer, it can't be expected to be really 'random' at all.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]