|
|
ARP "Who has (one address)" > "Tell (many different, random IP's)": msg#00189security.ids.snort.sigs
We're a "residential college" with over 2,700 college students with their own computers on our "ResNet." We seem to be under attack from within. My Senior Sys Admin looked on the firewall's tcpdump activity shows massive quantities of ARP traffic, which ask "Who has (one single internal IP address)" with a destination of "Tell (multiple, random internal IP addresses)." We're with the belief this is the activity of a slew of zombie computers on our network. Has anyone ever seen such activity? Can you tell us what the name of this trojan/worm/viruii is? How can we detect this? Thank you in advance, Newbie Les Yaw Luther College Decorah, IA ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | ARP "Who has (one address)" > "Tell (many different, random IP's)": 00189, Les Yaw |
|---|---|
| Next by Date: | Re: ARP "Who has (one address)" > "Tell (many different, random IP's)": 00189, Paul Schmehl |
| Previous by Thread: | Re: ARP "Who has (one address)" > "Tell (many different, random IP's)"i: 00189, Matt Kettler |
| Next by Thread: | Re: ARP "Who has (one address)" > "Tell (many different, random IP's)": 00189, Paul Schmehl |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |