Security Incidents mailing list archives

Re: Possible variant of Blaster/Nachi/Welchia?

From: "Meyers, Adam" <Adam_Meyers () sra com>
Date: Fri, 26 Sep 2003 13:49:36 -0400

I believe there was a ntp exploit that came out this week on security focus
(deep sight) might be somebody trying to exoit it, but I don't know why the
ICMP is there maybe looking for live hosts?  Might also be some sort of ICMP
time attack.

Adam



-----Original Message-----
From: Jeff Kell <jeff-kell () utc edu>
To: Incidents <incidents () securityfocus com>; General DShield Discussion List
<list () dshield org>
Sent: Fri Sep 26 11:25:18 2003
Subject: Possible variant of Blaster/Nachi/Welchia?

I have seen some STRANGE traffic on our dorms this morning.  The dorms 
are all on a private network 172.18.0.0.  I have hosts (10 so far) that 
are doing this:

    spoofed 172.x.x.x:123 UDP --> random 172.x.x.x:123
same spoof 172.x.x.x ICMP --> another random 172.x.x.x
same spoof 172.x.x.x ICMP --> another random 172.x.x.x

About once or twice a minute the ICMPs continue, but the UDP isn't repeated.

It appears to be spreading (new machines showing up doing the same 
thing).  Any ideas, clues, ring any bells?

Jeff




---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Possible variant of Blaster/Nachi/Welchia? Jeff Kell (Sep 26)
- Re: Possible variant of Blaster/Nachi/Welchia? (more) Jeff Kell (Sep 26)
- <Possible follow-ups>
- Re: Possible variant of Blaster/Nachi/Welchia? Meyers, Adam (Sep 26)