Looks like WORM_NACHI.A http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.A
-----Original Message----- From: Christopher A. Congdon [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2003 12:12 PM To: [EMAIL PROTECTED] Subject: [gb-users] Spoofing IPs How possible is it to spoof an IP address being given to GB firewall? I had the following messages come from my GB: Sep 24 10:26:33 pri=4 flt_type=RAF flt_action=block msg="Block RAF (46)" rule=46 proto=1026/udp src=66.52.249.70 srcport=666 dst=63.94.115.69 dstport=1026 interface=xl0 Sep 24 10:26:33 pri=4 flt_type=RAF flt_action=block msg="Block RAF (46)" rule=46 proto=135/udp src=66.52.249.70 srcport=666 dst=63.94.115.69 dstport=135 interface=xl0 Sep 24 10:26:33 pri=4 flt_type=RAF flt_action=block msg="Block RAF (46)" rule=46 proto=1026/udp src=66.52.249.70 srcport=666 dst=63.94.115.68 dstport=1026 interface=xl0 Well, I had a lot more than these, but this is just a sampling. The IP comes back as being owned by PacWest, which tells me they are re-allocated to NetZero. Well, NetZero claims this didn't come from their network because they don't show a user logged in at that time with that IP. Soooo, something odd is going on, and it seems to involve someone trying to access my network... Christopher Congdon Network Engineer Congdon.WEB [EMAIL PROTECTED] http://www.congdonweb.com 317-920-9601 ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://www.mail-archive.com/[EMAIL PROTECTED] ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://www.mail-archive.com/[EMAIL PROTECTED]
