I can confirm that on our currently running network with IDS and flow data. TFTP is from the attacking source, not from any centralized servers.
-- Jordan Wiens, CISSP UF Network Incident Response Team (352)392-2061 On Mon, 11 Aug 2003, Dennis Opacki wrote: > > Never mind. SANS now indicates: > > Infection sequence: > > 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit > to TARGET > 2. this causes a remote shell on port 4444 at the TARGET > 3. the SOURCE now sends the tftp get command to the TARGET, using the > shell on port 4444, > 4. the target will now connect to the tftp server at the SOURCE. > > > On Mon, 11 Aug 2003, Dennis Opacki wrote: > > > > > Can anyone confirm whether the tftp transfers appear to be solely from the > > hosts listed in the initial sans.org note (which now appear to have been > > taken down), or is the transfer done from the infecting host? > > > > TIA, > > > > -Dennis > > > > On Mon, 11 Aug 2003, Joey wrote: > > > > > They found a worm, but since it uses tftp servers that > > > can be taken down and since tftp is slow, it shouldnt > > > have much of an effect. > > > > > > "Scans sequentially for machines with open port 135, > > > starting at a presumably random IP address" - very > > > stupid way to spread! > > > > > > http://isc.sans.org/diary.html?date=2003-08-11 > > > > > > __________________________________ > > > Do you Yahoo!? > > > Yahoo! SiteBuilder - Free, easy-to-use web site design software > > > http://sitebuilder.yahoo.com > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
