eep. After running through the ethernet headers, I just discovered that these packets are coming from a blaster infected machine which is also flooding the network with syn packets to continuously increasing IP numbers.
I have seen blaster infections before, but i havent ever seen traffic whose snippet is given above. Is this an old behaviour or is this a variation of the virus?"127.0.0.1.http"
Hmm. This is the last time I am replying to myself :-P ... on this thread. I have found my answer at
http://www.dshield.org/pipermail/list/2004-January/014030.php
And something REAL INTERESTING.
From:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.d.worm.html
[...]
If the current date is the 16th through the end of the month for the months of January to August, or if the current month is September through December, the worm will attempt to perform a DoS on Windows Update. However, the attempt to perform the DoS will succeed only if one the following conditions is true:
* The worm runs on a Windows XP computer that was either infected or restarted during the payload period.
* The worm runs on a Windows 2000 computer that was infected during the payload period and has not been restarted since it was infected.
* The worm runs on a Windows 2000 computer that has been restarted since it was infected, during the payload period, and the currently logged in user is Administrator.
[...]
So today is blaster day! :)
- Sandip
-- Sandip Bhattacharya sandip (at) puroga.com http://www.sandipb.net
GPG: 51A4 6C57 4BC6 8C82 6A65 AE78 B1A1 2280 A129 0FF3
_______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd
