Transfers are done from the infected host. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
| -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] Behalf Of Dennis | Opacki | Sent: Monday, August 11, 2003 2:41 PM | To: Full-Disclosure (E-mail) | Subject: Re: [Full-Disclosure] DCOM Worm released | | | | Can anyone confirm whether the tftp transfers appear to be solely from the | hosts listed in the initial sans.org note (which now appear to have been | taken down), or is the transfer done from the infecting host? | | TIA, | | -Dennis | | On Mon, 11 Aug 2003, Joey wrote: | | > They found a worm, but since it uses tftp servers that | > can be taken down and since tftp is slow, it shouldnt | > have much of an effect. | > | > "Scans sequentially for machines with open port 135, | > starting at a presumably random IP address" - very | > stupid way to spread! | > | > http://isc.sans.org/diary.html?date=2003-08-11 | > | > __________________________________ | > Do you Yahoo!? | > Yahoo! SiteBuilder - Free, easy-to-use web site design software | > http://sitebuilder.yahoo.com | > _______________________________________________ | > Full-Disclosure - We believe in it. | > Charter: http://lists.netsys.com/full-disclosure-charter.html | > | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
