-
November 15th, 2003, 09:16 PM
#1
Senior Member
Wierd Network Traffic
I was just wondering if anyone else was noticing this. I got up today, went to school, and noticed that i was getting a bunch of rpc port probes. Now, this is the same type of traffic that blaster used to put out. While watching my IDS It seemed to be spreading to other hosts on the network at the college and they were probing me also. Has anyone else been seeing traffic like this? I checked my mailing lists and I didn't see any news on a new worm, although I did see some new MS exploits.
-
November 16th, 2003, 12:35 AM
#2
Ive been getting those probes everyday almost on schedule ever since blaster. So i wouldnt have noticed any new waves of attacks.
PeacE
-BoB
#!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
Sa2/d0<X+d*La1=z\\U$n%0]SX$k\"[$m*]\\EszlXx++p|dc`,s/^.|\\W//g,print pack(\'H*\'
,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)
-
November 16th, 2003, 01:52 AM
#3
Senior Member
This is definately something new and not Blaster, very similar though. I believe it is attacking in a similar style.
-
November 16th, 2003, 03:06 AM
#4
It wouldnt surprise me one bit. I will keep an eye on my logs.
PeacE
-BoB
#!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
Sa2/d0<X+d*La1=z\\U$n%0]SX$k\"[$m*]\\EszlXx++p|dc`,s/^.|\\W//g,print pack(\'H*\'
,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)
-
November 16th, 2003, 03:12 AM
#5
I see one of two probable answers here. The first being that your school systems were never patched and someone inadvertantly/purposely introduced blaster code into the network, thus the RPCs.
The second is that an exploit has been developed for the latest M$ exploit released last week. (Somewhere in the 48-50 range) From what I have read of the exploit it is very similar to the RPC exploit in blaster. That being the case, compiled with the fact that it uses UDP/TCP 138, 139, and 445, it should be quite easy to modify the existing blaster worm to attack the new exploit. Just a stab in the dark but it would not suprise me.
The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!
-
November 16th, 2003, 05:14 AM
#6
have received similar increased traffic over the last week....
Thought it was ALOT of unpatched machines on the isp subnet?
mlf
How people treat you is their karma- how you react is yours-Wayne Dyer
-
November 18th, 2003, 12:50 AM
#7
Senior Member
The school's systems were patched against Blaster and it wasn't just a scanning program doing probing for patches not being applied. I don't know, I guess I will have to wait till I go back. Thanks everyone for posting.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|