[32508] in bugtraq
RE: Router Worm?
daemon@ATHENA.MIT.EDU (David Gillett)
Thu Nov 20 14:22:10 2003
Reply-To: <gillettdavid@fhda.edu>
From: "David Gillett" <gillettdavid@fhda.edu>
To: "'Jose Nazario'" <jose@monkey.org>,
"'Jay D. Dyson'" <jdyson@treachery.net>
Cc: "'Bugtraq'" <bugtraq@securityfocus.com>
Date: Thu, 20 Nov 2003 09:14:10 -0800
Message-ID: <046101c3af89$b7736800$6e811299@HURON>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <Pine.BSO.4.58.0311192003490.29921@naughty.monkey.org>
I've never seen it do that, in the about 50 or so instances
I've encountered. Does it only do it occasionally? Does it
attack the same host against which 135/tcp failed, or some
random third party?
(Does it, perhaps, distinguish between 135/tcp "failed to
connect" and 135/tcp "connected, but target was patched and
so could not be infected"?)
David Gillett
> -----Original Message-----
> From: Jose Nazario [mailto:jose@monkey.org]
> Sent: November 19, 2003 17:06
> To: Jay D. Dyson
> Cc: Bugtraq
> Subject: Re: Router Worm?
>
>
> its welchia/nachi. when it can't connect via 135/tcp, it will
> attempt an
> exploit against a webdav server (see MS03-007).
>
> i've seen an uptick in this in the past couple of days, too,
> visible on a
> few httpd servers i track. and i, too, was caught off guard
> until someone
> pointed out it was nachi to me. digging into the tech details
> showed that
> i (and many of us) had been overlooking a secondary attack.
>
> ___________________________
> jose nazario, ph.d. jose@monkey.org
> http://monkey.org/~jose/
>
