|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Alert: Teardrop2 Attack - Update #5
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: Alert: Teardrop2 Attack - Update #5
- From: Russ <Russ.CooperRC.ON.CA>
- Date: Wed, 4 Mar 1998 15:02:27 -0500
- Reply-To: Russ <Russ.CooperRC.ON.CA>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
All the latest news fit to print...;-] Turns out my DNS theories were actually dead on. After examining the attackers original script, turns out he/she/it did enumerate the IP addresses to attack using DNS, and not by using Zone transfers. Pretty lame and more work than necessary, but it was probably easier to automate?? Could be an indication of a lack of skill on the attackers part, the attack used bonk and linsniffer to do its dirty deed, both were uploaded to the compromised source Linux box already compiled, another indication it was a cheap thrill. I've had a report that the smbsrv attack was part of this wave, making this a "new" attack in some minds (since it combined bonk and something). No hard evidence to prove this yet, but just thought I would mention it so folks will get the srv-fix also (see my http://www.ntbugtraq.com/ntfixes.asp for links). Personally I believe what some of the people saw were random ports being hit with invalid packets. When those ports happened to be listening, they probably experienced some of the known earlier problems (like CPU 100% or out and out crashes). The vast majority of crashed machines were largely unpatched and mostly totally exposed (i.e. no Firewall at all). I believe the attacks have stopped now, let me know if you're still getting hit. The "true" attacking machine was in .de, accessed by a dialup user in the U.S. If there are details you really need to hear, and I haven't already posted them, feel free to ask. Don't ask for the script, its pretty benign and you could come up with it yourself very quickly. Cheers, Russ
- Prev by Date: Update on wide-spread NewTear Denial of Service attacks
- Next by Date: FW: CERT Summary CS-98.02
- Prev by thread: Update on wide-spread NewTear Denial of Service attacks
- Next by thread: FW: CERT Summary CS-98.02
- Index(es):