HEADS UP - New Welchia worm based on RPC2 - Page 3
Page 3 of 3 FirstFirst 123
Results 21 to 25 of 25

Thread: HEADS UP - New Welchia worm based on RPC2

  1. #21
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yeah, the Welchia triggers are going off but it isn't *exactly* the same because the nachia triggers are also going off. We saw this write up and are all too familiar with W32.Welchia. What we are seeing is a tad different.

    Thanks for the heads up though Pure. Oh, and PM me when you get a chance. I have to ask you something.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #22
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    My logs have been overburdened by a bunch of attacks on port 135 since august. So I'm completely unable to notice an increase of such attacks in my area.
    I can only affirm that my router's ISP are infected by every new worm which appears. They are so efficient for this task that they could be turned in worm traps by an AV company.
    Life is boring. Play NetHack... --more--

  3. #23
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    Originally posted here by KissCool
    My logs have been overburdened by a bunch of attacks on port 135 since august. So I'm completely unable to notice an increase of such attacks in my area.
    I can only affirm that my router's ISP are infected by every new worm which appears. They are so efficient for this task that they could be turned in worm traps by an AV company.
    cat /var/logs/whateveryourlog is | grep internal-ip-here | grep port 135

    Please excuse the syntax, might not work exactly as planned, but the idea is to read the log file, filter only the logs from your internal ip on the firewall/gateway machine and to filter again to only logs on that particular port. This should help you narrow down to just the logs your interested in.


    --PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  4. #24
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    FWIW, my logs show some increase in port 135 activity, but they are being flooded with port 554 which IIRC is a RealNetworks server.... So I guess there's a new exploit out against that too because I haven't noticed concerted scanning for that port in the past.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #25
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    filter only the logs from your internal ip on the firewall/gateway machine and to filter again to only logs on that particular port. This should help you narrow down to just the logs your interested in.
    It could work in other circumstances, but I am obliged to monitor external traffic because I have blocked everything which is going to port 135 in order to, precisely, protect my internal network, which one is not targeted in order to act as an honeypot.
    Life is boring. Play NetHack... --more--

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •