Around Fri,Aug 22 2003, at 12:28, Cory Petkovsek, wrote: > On Fri, Aug 22, 2003 at 12:04:06PM -0700, Cory Petkovsek wrote: > > Filtering more, I have a win2k/sql7 server that has been tring to ping > > every ip address from (I suppose) 9.0.0.0 to 9.255.255.255. It just > > stopped, having hit 9.255.255.255. I saw all this through tcpdump, > > however I'm inspecting my...., whoah, now it's starting at 218.75.2.0... > > Anyway, I'm inspecting this server to see what it has on it. > > I've been welched... > W32.Welchia.Worm > http://www.symantec.com/avcenter/venc/data/pf/w32.welchia.worm.html > > Not sure how it got in though... It's time to put on my well worn sleuth > hat. Laptop? Router that got hammered and couldn't block all port 135?
I see it picks an ip address than scans that class-b equiv. Supposedly, the 9.0.0.0 should have just gone to 9.0.255.255, then find the next ip. -- [EMAIL PROTECTED] >From /usr/bin/fortune: segfault _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
