-
October 27th, 2003, 10:59 PM
#1
HEADS UP - New Welchia worm based on RPC2
At approximately 4:42PM EST, I began tracking massive infections on my network. All of my triggers pointed to the W32.Welchia worm however this seems to be a new variant that the AV companies aren't aware of as of yet. Seems that boxes patched with the latest RPC patch are not affected.
My external triggers and internal triggers are going insane. Looks like this is traveling across the internet very quickly. So far, the only footprints are port 707 TCP is open on infected hosts and my IDS is showing propigation source and destination as TCP 0 (which we know isnt happening).
Keep your eyes open folks. This should be a fun evening.
EDIT: 5:05 EST - Nachia IDS triggers are also going off on this one. This is gonna be ugly!
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
October 27th, 2003, 11:12 PM
#2
checking my firewall logs and IDS logs right now as we speak, but so far nothing has been triggered that looks like what you are seeing.
If I find anything in my logs I'll be sure to add it here. Thanks for the heads up.
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
-
October 27th, 2003, 11:24 PM
#3
checked my firewall for any of those attacks, haven't seen any yet, but i will keep my eyes peeled, thanks for the heads up.
-
October 28th, 2003, 12:00 AM
#4
Checked our stuff and things are quiet so far... 5:10 CST.
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
October 28th, 2003, 12:37 AM
#5
All clear on the central front. 5:40cst
-
October 28th, 2003, 12:56 AM
#6
At about the time thehorse13 mentions (calculating for PST) we were hit with about 30 minutes of hack attempts. Not on those ports. The source system was in Denver and I've already contacted the abuse@ISP for it.
Odd. This has been a very strange Monday.
Just updated my AV files from Symantec, nothing mentioned that matches what was described above.
-
October 28th, 2003, 01:34 AM
#7
-
October 28th, 2003, 02:17 AM
#8
My boss posted this to bugtraq and I posted this here and to ntbugtraq. So far one other person has the same issue.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
October 28th, 2003, 03:06 AM
#9
this along with the new ssh vuln will make for an interesting week
-
October 28th, 2003, 03:19 AM
#10
Member
thanks
TH13, thanks for the warning.
I've already talked to my company's security officer, and we are gonna send out an alert on this. We have had 4 offices that had Welchia outbreaks, and I know some were before MS03-039 came out.
If you and your boss get the credit as being the first ones to notify about this, any idea what you would call the worm?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|