Incidents Archiv September 2002

Date Index

RE: [incidents] Bots hitting my web server?, Rob Keown
Any tcp/608 activity?, Andrey G. Sergeev (AKA Andris)
- Re: Any tcp/608 activity?, Johannes Ullrich
- <Possible follow-ups>
- RE: Any tcp/608 activity?, Garramone, Michael (CCI-Las Vegas)
- RE: Any tcp/608 activity?, Garramone, Michael (CCI-Las Vegas)
Re: What's going on here?, Valdis . Kletnieks
Strange back-orifice looking scan..., Jeff Kell
- <Possible follow-ups>
- Re: Strange back-orifice looking scan..., KoRe MeLtDoWn
  - Re: Strange back-orifice looking scan..., Jeff Kell
- Re: Strange back-orifice looking scan..., Neil Dickey
  - Re: Strange back-orifice looking scan..., Scott Nursten
new type of formmail probes, Russell Fulton
- Re: new type of formmail probes, sunzi
- Re: new type of formmail probes, Kerry Thompson
- Re: new type of formmail probes, Soeren Ziehe
Odd sendmail behavior, Etaoin Shrdlu
- Re: Odd sendmail behavior, Jay D. Dyson
- Re: Odd sendmail behavior, Michael Katz
  - Re: Re: Odd sendmail behavior, Nigel Frankcom
    - Re: Odd sendmail behavior, Etaoin Shrdlu
Q328691 ?, Bronek Kozicki
- Re: Q328691 ?, H C
  - Re: Q328691 ?, Jonathan Rickman
    - Re: Q328691 ?, Nick FitzGerald
  - Re: Q328691 ?, Baribault, Gary
  - Re: Q328691 ?, sunzi
- Re: Q328691 ?, Joe Blatz
  - Re: Q328691 ?, Jon
  - Re: Q328691 ?, HggdH
- Re: Q328691 ?, Valdis . Kletnieks
- <Possible follow-ups>
- RE: Q328691 ?, Byrne, David
- Re: Q328691 ?, Security
  - Re: Q328691 ?, sunzi
- Re: SV: Q328691 ?, H C
- Re: Q328691 ?, Bronek Kozicki
  - Re: Q328691 ?, H C
- Re: Q328691 ?, Bernt Lervik
  - RE: Q328691 ?, Jason Coombs
- Re: SV: Q328691 ?, jennifer smith
  - Re: SV: Q328691 ?, H C
- RE: Q328691 ?, Byrne, David
- Re: Q328691 ?, Kyle Lai
Lame website scanner scanning subnets, zeno
remote kernel exploits?, andy_mn
- Re: [Full-Disclosure] remote kernel exploits?, Azerail
- Re: remote kernel exploits?, Jose Nazario
- Re: remote kernel exploits?, Stephen
- <Possible follow-ups>
- RE: remote kernel exploits?, Yonatan Bokovza
Possible PHP worm ?, Mark Ng
Code Red / Nimda Antidote?, Clinton Smith
- Re: Code Red / Nimda Antidote?, Brad Arlt
- Re: Code Red / Nimda Antidote?, Roger Thompson
  - Re: Code Red / Nimda Antidote?, Johannes Ullrich
- Re: Code Red / Nimda Antidote?, Jay D. Dyson
IH FAQ, Shaheem Motlekar
prisoner.iana.org, Diver8
- <Possible follow-ups>
- RE: prisoner.iana.org, David Vincent
- RE: prisoner.iana.org, Carey, Steve T ISD
  - Re: prisoner.iana.org, kent
weird b.cgi, HalbaSus
- Re: weird b.cgi, Roger Thompson
  - Re: weird b.cgi, HalbaSus
UDP port 22321, Greg Schmidt
- <Possible follow-ups>
- RE: UDP port 22321, Jeremy Junginger
  - Re: UDP port 22321, David U.
UDP flood on port 2001, Arnold Yancha
- Re: UDP flood on port 2001, Michael Katz
  - Re: UDP flood on port 2001, Arnold Yancha
- <Possible follow-ups>
- RE: UDP flood on port 2001, Garbrecht, Frederick
- Re: UDP flood on port 2001, KoRe MeLtDoWn
possible ssh hack, Ver Allan Sumabat
- Re: possible ssh hack, Alvin Oga
- Re: possible ssh hack, Adam Bultman
- RE: possible ssh hack, Loki
  - RE: possible ssh hack, Ver Allan Sumabat
    - RE: possible ssh hack, Michael Osten
    - Re: possible ssh hack, Skip
    - RE: possible ssh hack, Alvin Oga
    - Re: possible ssh hack, Rico Gloeckner
- RE: possible ssh hack, Loki
What's the tool? (iis, ftp, 57/tcp), Scott A. McIntyre
strange output from chkrootkit, Raúl Eduardo Millán Villalaz
- <Possible follow-ups>
- Re: strange output from chkrootkit, zeno
Re: [Full-Disclosure] RE: remote kernel exploits?, andy_mn
Re: slaper trafic, james
- Re: slaper trafic, Jose Nazario
- Re: slaper trafic, Jeff
- Re: slaper trafic, Denis Dimick
- Re: slaper trafic, Michael Katz
non worm ssl attacks, Russell Fulton
- Re: [unisog] non worm ssl attacks, Christian Wilson
Good practicle php attack example, zeno
- Re: Good practicle php attack example, Harald Finnaas
- <Possible follow-ups>
- Re: Good practicle php attack example, Steven M. Christey
- Re: Good practicle php attack example, Steven M. Christey
Another Nimda attack??, Eugene Chua Yew Gin
- Re: Another Nimda attack??, Roger Thompson
Win2K Advaned Server compromise report available, Curt Wilson
Analysis of Modap worm, Mario van Velzen
- Re: Analysis of Modap worm, Paul Wouters
RE: Interesting packets, Boyan Krosnov
- <Possible follow-ups>
- RE: Interesting packets, Semerjian, Ohanes
  - Re: Interesting packets, Marcelo Barbosa Lima
Huge Autoexec.bat, Matthew S Barnes
- Re: Huge Autoexec.bat, Nick FitzGerald
- Re: Huge Autoexec.bat, Chris Norris
What's on udp/2002 ?, Guido Van De Velde
- Re: What's on udp/2002 ?, rewt
  - Re: What's on udp/2002 ?, Nick FitzGerald
- Re: What's on udp/2002 ?, Jay D. Dyson
  - Re: What's on udp/2002 ?, Kurt Seifried
- Re: What's on udp/2002 ?, Russell Harding
- Re: What's on udp/2002 ?, Nick FitzGerald
- Re: What's on udp/2002 ?, Johannes Ullrich
- Re: What's on udp/2002 ?, Jose Nazario
- Re: What's on udp/2002 ?, Guido Van De Velde
- <Possible follow-ups>
- RE: What's on udp/2002 ?, Matthew F. Caldwell
Thank you all for your responses to "Huge Autoexec.bat", Matthew S Barnes
Linux Slapper Worm and Linksys, James Williams
- Re: Linux Slapper Worm and Linksys, Johannes Ullrich
- <Possible follow-ups>
- Re: Linux Slapper Worm and Linksys, Mike Lewinski
  - Re: Linux Slapper Worm and Linksys, Pavel Lozhkin
new IIS worm? (rcp lsass.exe), Christian Mock
- Re: new IIS worm? (rcp lsass.exe), Björn Wallentinus
- Re: new IIS worm? (rcp lsass.exe), Michael Thompson
  - Re: new IIS worm? (rcp lsass.exe), Nick FitzGerald
- Re: new IIS worm? (rcp lsass.exe), Mike Lewinski
  - Re: new IIS worm? (rcp lsass.exe), Lasse Sundström
- Re: new IIS worm? (rcp lsass.exe), Nick FitzGerald
- <Possible follow-ups>
- Re: new IIS worm? (rcp lsass.exe), Mike Lewinski
- Re: new IIS worm? (rcp lsass.exe), pj
- RE: new IIS worm? (rcp lsass.exe), Bellenger, Bruno (Paris)
  - Slapper worm DoS, james
- Re: new IIS worm? (rcp lsass.exe), Mike Lewinski
  - Re: new IIS worm? (rcp lsass.exe), Eloy A. Paris
- RE: new IIS worm? (rcp lsass.exe), Mark Challender
- Re: new IIS worm? (rcp lsass.exe), zeno
  - Re: new IIS worm? (rcp lsass.exe), James Williams
  - RE: new IIS worm? (rcp lsass.exe), Ben Timby
  - Re: new IIS worm? (rcp lsass.exe), sunzi
  - Re: new IIS worm? (rcp lsass.exe), Nick FitzGerald
    - Re: new IIS worm? (rcp lsass.exe), Faisal Ashraf
  - Re: new IIS worm? (rcp lsass.exe), Christoph Puppe
- RE: new IIS worm? (rcp lsass.exe), John Campbell
- Re: new IIS worm? (rcp lsass.exe), zeno
- RE: new IIS worm? (rcp lsass.exe), Dostie, Joe
- RE: new IIS worm? (rcp lsass.exe), webbi
- RE: new IIS worm? (rcp lsass.exe), John Campbell
- Re: new IIS worm? (rcp lsass.exe), zeno
- RE: new IIS worm? (rcp lsass.exe), Gaydosh, Adam
- RE: new IIS worm? (rcp lsass.exe), Bax . Plemons
- RE: new IIS worm? (rcp lsass.exe), David LeBlanc
- RE: new IIS worm? (rcp lsass.exe), Dallas Jordan
- Re: new IIS worm? (rcp lsass.exe), Muhammad Faisal Rauf Danka
New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well), H. Morrow Long
- Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well), Tom Sands
"Worm riders" on 4156?, Anton Chuvakin, Ph.D., GCIA
slapper worm varient "cinik", James P. Kinney III
- Re: slapper worm varient "cinik", Anton A. Chuvakin
  - Re: slapper worm varient "cinik", Mark
    - Re: slapper worm varient "cinik", James P. Kinney III
New worm?, Norbert Bollow
Modap Worm Infection and Subsequent Scanning, Gordon Chamberlin
- Re: Modap Worm Infection and Subsequent Scanning, Glenn Forbes Fleming Larratt
  - Re: Modap Worm Infection and Subsequent Scanning, Valdis . Kletnieks
Port 11890, Scott Nursten
AIM-based worm?, Troy Ablan
- Re: AIM-based worm?, Adam Young
- Re: AIM-based worm?, De Velopment
  - Re: AIM-based worm?, Troy Ablan
    - Re: AIM-based worm?, Midkaemia
- <Possible follow-ups>
- RE: AIM-based worm?, webbi
- RE: AIM-based worm?, Ralph Emery
- RE: AIM-based worm?, MH Michael Hammer (5304)
- RE: AIM-based worm?, x x
  - Re: AIM-based worm?, skipper
- RE: AIM-based worm?, Ron Yount
VS: slapper worm varient "cinik", Toni Heinonen
Snake in the grass, sf
- RE: Snake in the grass, list subscriber
E-Card Remote Code Execution Scam, Jonathan A. Zdziarski
- Re: E-Card Remote Code Execution Scam, Jeff Jirsa
- RE: E-Card Remote Code Execution Scam, Fulton Preston
  - RE: E-Card Remote Code Execution Scam, Jonathan A. Zdziarski
    - RE: E-Card Remote Code Execution Scam, Fulton Preston
- Re: E-Card Remote Code Execution Scam, Axel Pettinger
- RE: E-Card Remote Code Execution Scam, H.Karrenbeld
- <Possible follow-ups>
- RE: E-Card Remote Code Execution Scam, Jonathan A. Zdziarski
  - RE: E-Card Remote Code Execution Scam, Jason Robertson
Unusual volume: UDP:137 probes, John Sage
- <Possible follow-ups>
- RE: Unusual volume: UDP:137 probes, Mark Forsyth
  - Re: Unusual volume: UDP:137 probes, Emeric Miszti
    - Re: Unusual volume: UDP:137 probes, Christopher Albert
  - RE: Unusual volume: UDP:137 probes, Brett Procter
    - RE: Unusual volume: UDP:137 probes, Bamm (Robert) Visscher
  - RE: Unusual volume: UDP:137 probes, fingers
  - Re: Unusual volume: UDP:137 probes, Scott McGee
    - RE: Unusual volume: UDP:137 probes, Joseph R. Gruber
  - Re: Unusual volume: UDP:137 probes, Scott McGee
- RE: Unusual volume: UDP:137 probes, Mark Forsyth
Increase in SSH scans, Robert Rich
- WinXP integrated packet filtering, Maxime Ducharme
- <Possible follow-ups>
- RE: Increase in SSH scans, Keith T. Morgan
FW: DNS servers outbound connections., Philip Bartholomew
RE: Port 608/trojan/spam, Garramone, Michael (CCI-Las Vegas)
Re: WinXP integrated packet filtering, Maxime Ducharme
IIS Using Port 1843, Matt Barton
Strange random-number.file entries in Apache logs, Sam Campbell

Mail converted by MHonArc