It can be people with autorooters, using it from unix shells, or windows boxes.. doesnt have to be a worm... technically.. you can spread a trojan just as fast with a scanner.. if not faster then a worm..
-phlox ----- Original Message ----- From: "Richard Johnson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, September 20, 2003 1:41 PM Subject: [Full-Disclosure] Probable new MS DCOM RPC worm for Windows > We've noticed increased scan activity on port 135, ramping up over the > past 20 hours. > > The scanning appears to concentrate on nearby /16s. For example, when > the source host has IP in 10.117.68.0/24, we've seen scanning of at > least single /24s within 10.114.0.0/16, 10.118.0.0/16 and > 10.116.0.0/16, and nowhere else yet. > > We've also had 2nd-hand reports of svchost.exe being killed on hosts > being attacked, causing downloading patches during the attack to fail. > Also, at least two dialup links are being flooded into uselessness by > the scan traffic from others nearby. > > > Richard > > ------- > Example headers: > > Sep 19 17:21:48.356841 0800 62: 10.117.68.93.1912 > 10.114.18.21.135: S 2922514106:2922514106(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) > ... > Sep 19 20:35:19.248342 0800 62: 10.117.68.81.2195 > 10.118.2.146.135: S 1536913838:1536913838(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) > ... > Sep 20 13:55:15.440811 0800 62: 10.117.68.50.1914 > 10.116.132.184.135: S 3274268792:3274268792(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) > > -- > To reply via email, make sure you don't enter the whirlpool on river left. > > My mailbox. My property. My personal space. My rules. Deal with it. > http://www.river.com/users/share/cluetrain/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
