The good news is that "witty" appears to not be a very witty propagator. Our flow data shows attempts to connect to 4000/udp on hosts in our network having a downward trend over the last few hours:
Time Unique Source IPs 08:00 350 09:00 332 10:00 297 11:00 298 12:00 265 (all times PST) -jr * Josh Richards <[EMAIL PROTECTED]> [20040320 11:10]: > > Confirmed. We had our first customer (colo) hit yesterday evening at > 20:43 PST. Additionally, they experienced the hard drive corruption (which > was added to the ISC diary entry within the last several hours). Traffic > was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant > 60 Mbit/s before we took them off-line. > > -jr > > * Johannes B. Ullrich <[EMAIL PROTECTED]> [20040320 00:44]: > > Looks like there may be a worm going around hitting systems that run > > BlackIce. Common characteristics of the packets: Source port 4000 (but > > random target port) and the string > > "insert witty message here". > > > > details will be posted here: > > http://isc.sans.org/diary.html > > as I get them together. -- Josh Richards | Colocation Web Hosting Bandwidth Digital West Networks | +1 805 781-9378 / www.digitalwest.net San Luis Obispo, CA | AS14589 & AS29962 [EMAIL PROTECTED] | DWNI - Making Internet Business Better