OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Newbie: what does this mean?
From: Tyrone Mills (TMillsTOTAL-CARE.COM)
Date: Fri Oct 13 2000 - 11:26:15 CDT

Is this a variant of the QAZ.Worm?

-----Original Message-----
From: Henry Luciano [mailto:cuncatorHOME.COM]
Sent: Thursday, October 12, 2000 4:47 AM
To: FOCUS-LINUXSECURITYFOCUS.COM
Subject: Re: Newbie: what does this mean?

Hello all,
   More likely it's the Netlog worm, I "snort" piles of them every
day. You grabbed any of the packets and looked at the data?

From my pile o' logs:
10/12-18:48:32.736418 yyy.yy.yyy.yy:1550 ->xxx.xxx.xxx.xx:139
TCP TTL:114 TOS:0x0 ID:56344 DF
***AP*** Seq: 0xC61FAC Ack: 0x305373EE Win: 0x212B
.....SMBs.....................C......u.h.h.....................+
...ASHLEY.WORKGROUP.Windows 4.0.Windows4.0............ .\\xxxxxx\C.?????.

The y's are there to protect the guilty (I've found the majority have
shared their full C drive rw with no password, *sigh*), the x's can be
replaced by any number of my hosts, as each instance of the worm tries to
propagate to bunches of IPs.

HTH,
Henry Luciano
cuncatormote.org

On Thu, 12 Oct 2000, < exter > wrote:
> I find this in my syslogs every day.
> At first I though it was some kind of attempt to intrude in my system.
>
> Oct 12 20:15:33 endymion tcplogd: netbios-ssn connection attempt from
> usuario1-NN-NNN-NN.dialup.xxx.es [xx.xxx.xxx.xxx]
>
> Do you think somebody (a bot perhaps) took me for a Win box with a BO
> client or could it be something more innocent.