Major worm..
-----Original Message-----
From: jai
[mailto:jai.s@xxxxxxxxxxxxx]
Sent: Sat 1/25/2003 10:50 AM
To: Â snort-users@xxxxxxxxxxxxxxxxxxxxx;
focus-ids@xxxxxxxxxxxxxxxxx; vuln-dev@xxxxxxxxxxxxxxxxx; Paul Marcus
Cc: snort-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:
[Snort-users] UDP 1434
Hi,
Internet traffic of INDIA's and ASIA's network has
been effected
badly.....its amazing....seriously
microsoft sucks..
but its fun !! :-)
Well i found something new in this ... i think this worm
spoofs IP address
according ....below is the
tcpdump output ..out which the host is ....169.254.198.47.
sending repeated
packets to different
network...
but...169.254.198.47..is not our
network....after matching th MAC address
..it was
orginating ...from our IP i.e
202.71.129.197..
tcpdump output :
20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:2d:b2:12 ip 418:
169.254.198.47.4041
> 224.173.178.1
8.ms-sql-m: udp 376 [ttl 1]
4500 0194 8e94 0000 0111 26d7 a9fe c62f
e0ad b212 0fc9 059a 0180 2294 0401 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101
20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:58:ed:71
ip 418: 169.254.198.47.4041
> reserved-mult
icast-range-NOT-delegated.example.com.ms-sql-m: udp 376
[ttl 1]
4500 0194 8e95 0000 0111 e5cb a9fe c62f
e658 ed71 0fc9 059a 0180 e189 0401 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
Router the MAC address ..
Internet 202.71.129.197
157 0002.b32f.a495 ARPA
FastEthernet6/0
I am running snort ...but it didn't detect....
Rgds
Jai
----- Original Message -----
From:
Paul Marcus <paulmarcus@xxxxxxxxxxxxxx>
To: jai
<jai.s@xxxxxxxxxxxxx>
Cc: <Â
snort-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Saturday,
January 25, 2003 8:20 PM
Subject: Re: [Snort-users]
UDP 1434
>
http://forums.military.com/1/OpenTopic?a=tpc&s=78919038&f=409192893&m=455198
2416
>
> http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109
>
>
> On Sat, 2003-01-25 at 06:49, jai wrote:
> > Hi,
> >
> >
> > I am getting very high
traffic on UDP 1434 ....
> >
> > wht might be the problem
>
>
> > Rgds
> >
Jai
>
>
>
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2
See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users@xxxxxxxxxxxxxxxxxxxxx
Go to this
URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
