[olug] Worms!
Phil Brutsche
pbrutsch at creighton.edu
Fri Jul 20 05:16:47 UTC 2001
A long time ago, in a galaxy far, far way, someone said...
> since we're on the topic, eeye has a really good account of their work
> on documenting the worm and it's at:
> http://www.eeye.com/html/advisories/codered.zip
>
> i don't know about anyone else but i got "code red hits" on port 80 from
> over 50 different hosts. apache reports "Client sent malformed Host header"
>
> also, obviously unrelated but definitelly strange, over 200 requests on
> ports 113
> and 27374 from 20some different ip's. 27374 i understand but i can't seem to
> find anything on attacks on 113 on the web. bugtraq was equally unresponsive
> as everyone just shrugged when someone else mentioned it on the list.
> does anyone else get probed on 'auth'?
Connection attempts to port 113 should be generally ignored and shouldn't
even be reported as an "attack". It's just a remote computer asking your
computer which UID is making the connection.
SMTP and FTP clients are two of the biggest generators of "auth" (also
called "ident") connection attempts that I have seen.
TCP port 27374 is used by the Sub7 Win32 worm.
Phil
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list