[Gllug] Slapper worm
John Winters
john at linuxemporium.co.uk
Wed Sep 18 11:10:02 UTC 2002
On Wed, 2002-09-18 at 11:54, Rev Simon Rumble wrote:
> Quick show of hands: how many people on the list have had an
> infection?
Not yet (and fully patched so I hope I won't). UDP port 2002 is blocked
at my firewall. I've now modified my f/w configuration so attempts on
that port are logged as well.
> Further: are people getting lots of probes?
I'm seeing a number of probes, but all from the same remote host.
Interestingly, said hosts probes a number of other ports in addition to
2002.
Hmm. I've just had a look. The probes I'm seeing are to:
TCP 22
TCP 23
TCP 25
TCP 443
TCP 1080
TCP 1433
TCP 1521
TCP 2000
TCP 2002
TCP 3128
TCP 3306
TCP 8080
TCP 32771
TCP 32772
but none to:
UDP 2002
and it clearly is clearly working through IP addresses in sequence
because I have 4 IP addresses on that subnet and it tried them all. Is
this slapper or something else?
In case anyone's interested the source IP address is 212.44.241.20
John
--
The Linux Emporium - the source for Linux CDs in the UK
See http://www.linuxemporium.co.uk/
Evolution is now exciting.
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list