|
-
October 28th, 2003, 10:17 PM
#21
Yeah, the Welchia triggers are going off but it isn't *exactly* the same because the nachia triggers are also going off. We saw this write up and are all too familiar with W32.Welchia. What we are seeing is a tad different.
Thanks for the heads up though Pure. Oh, and PM me when you get a chance. I have to ask you something.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
October 28th, 2003, 10:39 PM
#22
My logs have been overburdened by a bunch of attacks on port 135 since august. So I'm completely unable to notice an increase of such attacks in my area.
I can only affirm that my router's ISP are infected by every new worm which appears. They are so efficient for this task that they could be turned in worm traps by an AV company. 
Life is boring. Play NetHack... --more--
-
October 28th, 2003, 10:56 PM
#23
Originally posted here by KissCool
My logs have been overburdened by a bunch of attacks on port 135 since august. So I'm completely unable to notice an increase of such attacks in my area.
I can only affirm that my router's ISP are infected by every new worm which appears. They are so efficient for this task that they could be turned in worm traps by an AV company.
cat /var/logs/whateveryourlog is | grep internal-ip-here | grep port 135
Please excuse the syntax, might not work exactly as planned, but the idea is to read the log file, filter only the logs from your internal ip on the firewall/gateway machine and to filter again to only logs on that particular port. This should help you narrow down to just the logs your interested in.
--PuRe
-
October 28th, 2003, 11:01 PM
#24
FWIW, my logs show some increase in port 135 activity, but they are being flooded with port 554 which IIRC is a RealNetworks server.... So I guess there's a new exploit out against that too because I haven't noticed concerted scanning for that port in the past.
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
October 29th, 2003, 12:05 AM
#25
filter only the logs from your internal ip on the firewall/gateway machine and to filter again to only logs on that particular port. This should help you narrow down to just the logs your interested in.
It could work in other circumstances, but I am obliged to monitor external traffic because I have blocked everything which is going to port 135 in order to, precisely, protect my internal network, which one is not targeted in order to act as an honeypot.
Life is boring. Play NetHack... --more--
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote