[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
Hi All, You know this lovesan virus thats causing mayhem at the moment. Well just to see what has been going on out there. I started by opening port 135 netbios. Then i started to log all probes. This is what i got in just three minutes: Aug 14 19:17:37 waz kernel: IN=ppp0 OUT= MAC= SRC=218.48.232.167 DST=81.168.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=41913 DF PROTO=TCP SPT=1172 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 Aug 14 19:17:37 waz kernel: IN=ppp0 OUT= MAC= SRC=218.48.232.167 DST=81.168.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=41919 DF PROTO=TCP SPT=1172 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 Aug 14 19:17:38 waz kernel: IN=ppp0 OUT= MAC= SRC=218.48.232.167 DST=81.168.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=41920 DF PROTO=TCP SPT=1172 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 Aug 14 19:19:38 waz kernel: IN=ppp0 OUT= MAC= SRC=81.168.32.29 DST=81.168.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14724 DF PROTO=TCP SPT=3267 DPT=135 WINDOW=30618 RES=0x00 SYN URGP=0 Aug 14 19:19:38 waz kernel: IN=ppp0 OUT= MAC= SRC=81.168.32.29 DST=81.168.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14734 DF PROTO=TCP SPT=3267 DPT=135 WINDOW=30618 RES=0x00 SYN URGP=0 Aug 14 19:19:39 waz kernel: IN=ppp0 OUT= MAC= SRC=81.168.32.29 DST=81.168.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14737 DF PROTO=TCP SPT=3267 DPT=135 WINDOW=30618 RES=0x00 SYN URGP=0 And this is just from 1 machine. Imagine how much bandwidth is being sucked up there???? Especially considering the gritter runs a GET command to pull msblast.exe (the payload) off an ftp site! Cheers, Luke -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.