-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is this something that has been around for a while? There is a worm
spreading via bind (suprise!) which scans for victims using CHAOS/TXT
queries. After finding and compromising the victim it establishes a
webserver on tcp port 12321 on the victim to serve files to future victims.
I checked my packet dumps and found several infected hosts.

If you want to poke at it, the following hosts is currently up, but I did
notify the whois contact.
http://203.85.223.195:12321/stuff.tgz

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOzUCtcAVSpfzXItKEQI4KQCg81erarwmgGCXUvr3/pLNqBMjD0oAoPa6
Lx+vbSzHDc95pgOKDR7NiqSC
=F3Qz
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]