[Gllug] Slapper worm
Nix
nix at esperi.demon.co.uk
Sun Sep 22 11:27:00 UTC 2002
On Wed, 18 Sep 2002, Simon Rumble spake:
> Quick show of hands: how many people on the list have had an
> infection?
>
> Further: are people getting lots of probes?
I read these lines without reading the subject, and started worrying
rather a lot about what kind of infection you might be referring to ;)
I saw a tremendous flood of probes on the 15th from (obviously forged
and thus dropped at the firewall) source addresses in the 192.168.11/24
and 10.241.8/24 ranges, with the invariant source port 39480, banging on
ports 1999, 8310, 9619, 13212, 14076, 15408, 18952, 18206, and 24188,
over and over again hundreds of times for about half an hour.
I'm still not sure what exploit the attacker (presumably a script
kiddie) was trying, or WTF he thought he'd gain by banging on obviously-
closed ports over and over again. (I'm not even sure what most of those
ports were meant to be hooked up to.)
--
`Let's have a round of applause for those daring young men
and their flying spellcheckers.' --- Meg Worley
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list