Dameware Traffic and mailbag

Published: 2004-01-22
Last Updated: 2004-01-22 21:20:12 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
Dameware Traffic


In yesterdays diary (http://isc.sans.org/diary.html?
date=2004-01-21) , we ask you info about 6129 traffic.



Thanks for all the logs sent to us. We are still interested
in it if you have full tcpdump packet captures.



In despite of the high number of reports received, until
this moment there is no evidence that the 6129 traffic is
caused by a Worm. The relevant factor is the low/stable
number of sources. (http://www.dshield.org/port_report.php?
port=6129&recax=1&tarax=2&srcax=2&percent=N&days=40 ). We
are noticing an interesting pattern in the scanning tool
that, apparently, is behind this traffic. The Incident
Handler Donald Smith pointed that "it increments the 3rd
octet. That will move it cross networks in most cases! So
sequential packets might not trigger a scan if you are only
counting packets per second to your network."



If you want to participate in the internet storm center, as
well as get reports, fight back, and other benefits, we
would like to you to consider the use of Dshield, as well
its clients to send the logs to Dshield
(http://www.dshield.org/howto.php).




Mailbag


We received an email about a possible Nachi/Blaster worm
infection in a XP computer. SANS released a very good
document about Windows XP security called Windows XP
Surviving the first day (
http://www.sans.org/rr/papers/index.php?id=1298 )

-------------------------------------------------

Handler on Duty: Pedro Bueno
Keywords:
0 comment(s)

Comments


Diary Archives