Dameware Traffic
In yesterdays diary (http://isc.sans.org/diary.html? date=2004-01-21) , we ask you info about 6129 traffic. Thanks for all the logs sent to us. We are still interested in it if you have full tcpdump packet captures. In despite of the high number of reports received, until this moment there is no evidence that the 6129 traffic is caused by a Worm. The relevant factor is the low/stable number of sources. (http://www.dshield.org/port_report.php? port=6129&recax=1&tarax=2&srcax=2&percent=N&days=40 ). We are noticing an interesting pattern in the scanning tool that, apparently, is behind this traffic. The Incident Handler Donald Smith pointed that "it increments the 3rd octet. That will move it cross networks in most cases! So sequential packets might not trigger a scan if you are only counting packets per second to your network." If you want to participate in the internet storm center, as well as get reports, fight back, and other benefits, we would like to you to consider the use of Dshield, as well its clients to send the logs to Dshield (http://www.dshield.org/howto.php). Mailbag We received an email about a possible Nachi/Blaster worm infection in a XP computer. SANS released a very good document about Windows XP security called Windows XP Surviving the first day ( http://www.sans.org/rr/papers/index.php?id=1298 ) ------------------------------------------------- Handler on Duty: Pedro Bueno |
Pedro 155 Posts ISC Handler Jan 22nd 2004 |
Thread locked Subscribe |
Jan 22nd 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!