Incidents Archiv September 2002

• Thread Index

• RE: [incidents] Bots hitting my web server?
  • From: Rob Keown
• Any tcp/608 activity?
  • From: Andrey G. Sergeev (AKA Andris)
• Re: What's going on here?
  • From: Valdis . Kletnieks
• Re: Any tcp/608 activity?
  • From: Johannes Ullrich
• Strange back-orifice looking scan...
  • From: Jeff Kell
• RE: Any tcp/608 activity?
  • From: Garramone, Michael (CCI-Las Vegas)
• Re: Strange back-orifice looking scan...
  • From: KoRe MeLtDoWn
• Re: Strange back-orifice looking scan...
  • From: Jeff Kell
• new type of formmail probes
  • From: Russell Fulton
• RE: Any tcp/608 activity?
  • From: Garramone, Michael (CCI-Las Vegas)
• Re: new type of formmail probes
  • From: sunzi
• Re: Strange back-orifice looking scan...
  • From: Neil Dickey
• Odd sendmail behavior
  • From: Etaoin Shrdlu
• Re: Odd sendmail behavior
  • From: Jay D. Dyson
• Re: Odd sendmail behavior
  • From: Michael Katz
• Re: new type of formmail probes
  • From: Kerry Thompson
• Re: Re: Odd sendmail behavior
  • From: Nigel Frankcom
• Re: Odd sendmail behavior
  • From: Etaoin Shrdlu
• Q328691 ?
  • From: Bronek Kozicki
• Re: Q328691 ?
  • From: H C
• Re: new type of formmail probes
  • From: Soeren Ziehe
• Lame website scanner scanning subnets
  • From: zeno
• Re: Q328691 ?
  • From: Jonathan Rickman
• Re: Q328691 ?
  • From: Joe Blatz
• Re: Q328691 ?
  • From: Valdis . Kletnieks
• Re: Q328691 ?
  • From: Baribault, Gary
• RE: Q328691 ?
  • From: Byrne, David
• Re: Q328691 ?
  • From: Jon
• Re: Q328691 ?
  • From: Security
• Re: Q328691 ?
  • From: sunzi
• Re: Q328691 ?
  • From: H C
• Re: SV: Q328691 ?
  • From: H C
• remote kernel exploits?
  • From: andy_mn
• Re: [Full-Disclosure] remote kernel exploits?
  • From: Azerail
• Re: remote kernel exploits?
  • From: Jose Nazario
• Possible PHP worm ?
  • From: Mark Ng
• Code Red / Nimda Antidote?
  • From: Clinton Smith
• IH FAQ
  • From: Shaheem Motlekar
• Re: Q328691 ?
  • From: HggdH
• Re: Q328691 ?
  • From: Nick FitzGerald
• prisoner.iana.org
  • From: Diver8
• Re: Q328691 ?
  • From: Bronek Kozicki
• Re: Q328691 ?
  • From: Bernt Lervik
• Re: Q328691 ?
  • From: sunzi
• Re: SV: Q328691 ?
  • From: jennifer smith
• Re: SV: Q328691 ?
  • From: H C
• Re: Code Red / Nimda Antidote?
  • From: Brad Arlt
• RE: prisoner.iana.org
  • From: David Vincent
• Re: Code Red / Nimda Antidote?
  • From: Roger Thompson
• weird b.cgi
  • From: HalbaSus
• RE: Q328691 ?
  • From: Jason Coombs
• Re: Code Red / Nimda Antidote?
  • From: Johannes Ullrich
• RE: prisoner.iana.org
  • From: Carey, Steve T ISD
• Re: weird b.cgi
  • From: Roger Thompson
• UDP port 22321
  • From: Greg Schmidt
• RE: UDP port 22321
  • From: Jeremy Junginger
• Re: UDP port 22321
  • From: David U.
• Re: Code Red / Nimda Antidote?
  • From: Jay D. Dyson
• Re: remote kernel exploits?
  • From: Stephen
• Re: prisoner.iana.org
  • From: kent
• Re: weird b.cgi
  • From: HalbaSus
• UDP flood on port 2001
  • From: Arnold Yancha
• RE: remote kernel exploits?
  • From: Yonatan Bokovza
• possible ssh hack
  • From: Ver Allan Sumabat
• Re: UDP flood on port 2001
  • From: Michael Katz
• Re: possible ssh hack
  • From: Alvin Oga
• RE: Q328691 ?
  • From: Byrne, David
• Re: possible ssh hack
  • From: Adam Bultman
• RE: UDP flood on port 2001
  • From: Garbrecht, Frederick
• Re: UDP flood on port 2001
  • From: KoRe MeLtDoWn
• Re: Strange back-orifice looking scan...
  • From: Scott Nursten
• Re: Q328691 ?
  • From: Kyle Lai
• RE: possible ssh hack
  • From: Loki
• What's the tool? (iis, ftp, 57/tcp)
  • From: Scott A. McIntyre
• RE: possible ssh hack
  • From: Loki
• Re: UDP flood on port 2001
  • From: Arnold Yancha
• RE: possible ssh hack
  • From: Ver Allan Sumabat
• RE: possible ssh hack
  • From: Michael Osten
• Re: possible ssh hack
  • From: Skip
• RE: possible ssh hack
  • From: Alvin Oga
• strange output from chkrootkit
  • From: Raúl Eduardo Millán Villalaz
• Re: [Full-Disclosure] RE: remote kernel exploits?
  • From: andy_mn
• Re: strange output from chkrootkit
  • From: zeno
• Re: possible ssh hack
  • From: Rico Gloeckner
• Re: slaper trafic
  • From: james
• Re: slaper trafic
  • From: Jose Nazario
• Re: [unisog] non worm ssl attacks
  • From: Christian Wilson
• non worm ssl attacks
  • From: Russell Fulton
• Good practicle php attack example
  • From: zeno
• Another Nimda attack??
  • From: Eugene Chua Yew Gin
• Win2K Advaned Server compromise report available
  • From: Curt Wilson
• Analysis of Modap worm
  • From: Mario van Velzen
• Re: Interesting packets
  • From: Marcelo Barbosa Lima
• Re: slaper trafic
  • From: Jeff
• RE: Interesting packets
  • From: Boyan Krosnov
• Re: Huge Autoexec.bat
  • From: Nick FitzGerald
• Huge Autoexec.bat
  • From: Matthew S Barnes
• RE: Interesting packets
  • From: Semerjian, Ohanes
• Re: slaper trafic
  • From: Denis Dimick
• Re: slaper trafic
  • From: Michael Katz
• What's on udp/2002 ?
  • From: Guido Van De Velde
• Re: Another Nimda attack??
  • From: Roger Thompson
• Re: What's on udp/2002 ?
  • From: rewt
• Re: Huge Autoexec.bat
  • From: Chris Norris
• Re: What's on udp/2002 ?
  • From: Jay D. Dyson
• Re: What's on udp/2002 ?
  • From: Russell Harding
• Re: What's on udp/2002 ?
  • From: Nick FitzGerald
• Thank you all for your responses to "Huge Autoexec.bat"
  • From: Matthew S Barnes
• Re: Good practicle php attack example
  • From: Harald Finnaas
• Re: What's on udp/2002 ?
  • From: Kurt Seifried
• Re: What's on udp/2002 ?
  • From: Johannes Ullrich
• Re: What's on udp/2002 ?
  • From: Nick FitzGerald
• RE: What's on udp/2002 ?
  • From: Matthew F. Caldwell
• Re: What's on udp/2002 ?
  • From: Jose Nazario
• Re: What's on udp/2002 ?
  • From: Guido Van De Velde
• Re: Good practicle php attack example
  • From: Steven M. Christey
• Linux Slapper Worm and Linksys
  • From: James Williams
• Re: Linux Slapper Worm and Linksys
  • From: Johannes Ullrich
• Re: Linux Slapper Worm and Linksys
  • From: Mike Lewinski
• Re: Linux Slapper Worm and Linksys
  • From: Pavel Lozhkin
• new IIS worm? (rcp lsass.exe)
  • From: Christian Mock
• Re: Good practicle php attack example
  • From: Steven M. Christey
• New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)
  • From: H. Morrow Long
• Re: new IIS worm? (rcp lsass.exe)
  • From: Björn Wallentinus
• Re: new IIS worm? (rcp lsass.exe)
  • From: Michael Thompson
• Re: new IIS worm? (rcp lsass.exe)
  • From: Mike Lewinski
• Re: new IIS worm? (rcp lsass.exe)
  • From: Nick FitzGerald
• Re: new IIS worm? (rcp lsass.exe)
  • From: Mike Lewinski
• Re: new IIS worm? (rcp lsass.exe)
  • From: pj
• Re: new IIS worm? (rcp lsass.exe)
  • From: Nick FitzGerald
• Re: New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)
  • From: Tom Sands
• RE: new IIS worm? (rcp lsass.exe)
  • From: Bellenger, Bruno (Paris)
• "Worm riders" on 4156?
  • From: Anton Chuvakin, Ph.D., GCIA
• Re: new IIS worm? (rcp lsass.exe)
  • From: Lasse Sundström
• Re: Analysis of Modap worm
  • From: Paul Wouters
• Slapper worm DoS
  • From: james
• Re: new IIS worm? (rcp lsass.exe)
  • From: Mike Lewinski
• RE: new IIS worm? (rcp lsass.exe)
  • From: Mark Challender
• Re: new IIS worm? (rcp lsass.exe)
  • From: Eloy A. Paris
• Re: new IIS worm? (rcp lsass.exe)
  • From: zeno
• Re: new IIS worm? (rcp lsass.exe)
  • From: James Williams
• RE: new IIS worm? (rcp lsass.exe)
  • From: John Campbell
• Re: new IIS worm? (rcp lsass.exe)
  • From: zeno
• RE: new IIS worm? (rcp lsass.exe)
  • From: Ben Timby
• RE: new IIS worm? (rcp lsass.exe)
  • From: Dostie, Joe
• RE: new IIS worm? (rcp lsass.exe)
  • From: webbi
• slapper worm varient "cinik"
  • From: James P. Kinney III
• RE: new IIS worm? (rcp lsass.exe)
  • From: John Campbell
• Re: new IIS worm? (rcp lsass.exe)
  • From: zeno
• Re: new IIS worm? (rcp lsass.exe)
  • From: sunzi
• New worm?
  • From: Norbert Bollow
• Re: new IIS worm? (rcp lsass.exe)
  • From: Nick FitzGerald
• Modap Worm Infection and Subsequent Scanning
  • From: Gordon Chamberlin
• Re: new IIS worm? (rcp lsass.exe)
  • From: Christoph Puppe
• Re: slapper worm varient "cinik"
  • From: Anton A. Chuvakin
• RE: new IIS worm? (rcp lsass.exe)
  • From: Gaydosh, Adam
• Re: Modap Worm Infection and Subsequent Scanning
  • From: Glenn Forbes Fleming Larratt
• Port 11890
  • From: Scott Nursten
• Re: slapper worm varient "cinik"
  • From: Mark
• AIM-based worm?
  • From: Troy Ablan
• Re: new IIS worm? (rcp lsass.exe)
  • From: Faisal Ashraf
• RE: new IIS worm? (rcp lsass.exe)
  • From: Bax . Plemons
• RE: new IIS worm? (rcp lsass.exe)
  • From: David LeBlanc
• RE: new IIS worm? (rcp lsass.exe)
  • From: Dallas Jordan
• Re: slapper worm varient "cinik"
  • From: James P. Kinney III
• Re: new IIS worm? (rcp lsass.exe)
  • From: Muhammad Faisal Rauf Danka
• RE: AIM-based worm?
  • From: webbi
• Re: Modap Worm Infection and Subsequent Scanning
  • From: Valdis . Kletnieks
• Re: AIM-based worm?
  • From: Adam Young
• VS: slapper worm varient "cinik"
  • From: Toni Heinonen
• RE: AIM-based worm?
  • From: Ralph Emery
• RE: AIM-based worm?
  • From: MH Michael Hammer (5304)
• Re: AIM-based worm?
  • From: De Velopment
• RE: AIM-based worm?
  • From: x x
• Re: AIM-based worm?
  • From: Troy Ablan
• RE: AIM-based worm?
  • From: Ron Yount
• Snake in the grass
  • From: sf
• E-Card Remote Code Execution Scam
  • From: Jonathan A. Zdziarski
• RE: E-Card Remote Code Execution Scam
  • From: Jonathan A. Zdziarski
• Re: AIM-based worm?
  • From: skipper
• Re: E-Card Remote Code Execution Scam
  • From: Jeff Jirsa
• RE: E-Card Remote Code Execution Scam
  • From: Jason Robertson
• RE: E-Card Remote Code Execution Scam
  • From: Jonathan A. Zdziarski
• RE: E-Card Remote Code Execution Scam
  • From: Fulton Preston
• RE: E-Card Remote Code Execution Scam
  • From: Fulton Preston
• Re: E-Card Remote Code Execution Scam
  • From: Axel Pettinger
• RE: Snake in the grass
  • From: list subscriber
• RE: E-Card Remote Code Execution Scam
  • From: H.Karrenbeld
• Re: AIM-based worm?
  • From: Midkaemia
• Unusual volume: UDP:137 probes
  • From: John Sage
• RE: Unusual volume: UDP:137 probes
  • From: Mark Forsyth
• Increase in SSH scans
  • From: Robert Rich
• FW: DNS servers outbound connections.
  • From: Philip Bartholomew
• WinXP integrated packet filtering
  • From: Maxime Ducharme
• Re: Unusual volume: UDP:137 probes
  • From: Emeric Miszti
• RE: Unusual volume: UDP:137 probes
  • From: Brett Procter
• RE: Increase in SSH scans
  • From: Keith T. Morgan
• RE: Unusual volume: UDP:137 probes
  • From: fingers
• RE: Unusual volume: UDP:137 probes
  • From: Mark Forsyth
• Re: Unusual volume: UDP:137 probes
  • From: Scott McGee
• Re: Unusual volume: UDP:137 probes
  • From: Scott McGee
• RE: Port 608/trojan/spam
  • From: Garramone, Michael (CCI-Las Vegas)
• RE: Unusual volume: UDP:137 probes
  • From: Bamm (Robert) Visscher
• Re: WinXP integrated packet filtering
  • From: Maxime Ducharme
• Re: Unusual volume: UDP:137 probes
  • From: Christopher Albert
• IIS Using Port 1843
  • From: Matt Barton
• RE: Unusual volume: UDP:137 probes
  • From: Joseph R. Gruber
• Strange random-number.file entries in Apache logs
  • From: Sam Campbell