On Sat, 20 Sep 2003 14:41:39 -0600, Richard Johnson <[EMAIL PROTECTED]> wrote:
> We've noticed increased scan activity on port 135, ramping up over the > past 20 hours. > > The scanning appears to concentrate on nearby /16s... We finally had infections occur on Tuesday evening showing the same scan behavior. Sysadmins doing cleanup report Norton and McAfee IDed the bug as W32.Welchia. I don't know whether it was a variant using one of the two new RPC holes, or just month-old Welchia. That's because the hosts hit were traditional non-compliant lab machines and non-adminned remote office or home hosts. In other words, they were still vulnerable to the original blaster worm. The US Dept. of State's CLASS was hit by this one, and it looks like they shut down for a short while to contain it: http://www.azcentral.com/news/articles/0924ComputerVirus24-ON.html Richard -- To reply via email, make sure you don't enter the whirlpool on river left. My mailbox. My property. My personal space. My rules. Deal with it. http://www.river.com/users/share/cluetrain/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
