Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: BlackWorm technical information
From: Mike Owen <kyphros () gmail com>
Date: Tue, 24 Jan 2006 12:11:16 -0800

On 1/24/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
The *interesting* question is whether it's possible to use this to count
the *actual* number of affected machines by excluding all the rubberneckers
that are visiting the page and hitting "refresh" to see the numbers go up.
Maybe by looking at the Referer or User-Agent values?



That's what the Snort rule looks for, a connection to that page
without a Referer: tag. Not perfect, but it works well enough.

Mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]