--- Frank Knobbe <[EMAIL PROTECTED]> wrote: > On Mon, 2004-05-03 at 14:44, Eric Chien wrote: > > Actually, it is all variants (.A - .D). And more > > specifically, it iterates through all the host IP > > addresses looking for an address that does not > match: > > 127.0.0.1 > > 10. > > 172.16 - 172.31 (inclusive) > > 192.168. > > 169.254 > > > > Then, using this address it creates a random > address > > (sometimes changing all octets, sometimes just the > > last three, and sometimes just the last two). > > Word has it that this is not true. While the code > for the address check > is there, it doesn't appear to work on some Sasser > variants. There are > reports of infected 10/8 and 192.168/16 networks.
As stated above, the IP exclusions are applied to the _host IP_ which is used as a base to randomly generate a victim IP. The victim IP can be a 10/8, 192.168/16, etc. for example, in the case when all octets are randomly generated. When all of the _host_ IPs match the exclusion range, 127.0.0.1 is used as the base IP to randomly generate the victim IP. ...Eric _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
