[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] DCOM

To: joey2cool@yahoo.com
Subject: Re: [Full-Disclosure] DCOM
From: Valdis.Kletnieks@vt.edu
Date: Mon, 11 Aug 2003 23:37:06 -0400

On Mon, 11 Aug 2003 13:14:16 PDT, Joey <joey2cool@yahoo.com>  said:
> The targets total has stayed about the same for the
> past 2 weeks. I see no difference.
> 
> http://isc.sans.org/port_details.html?port=135

It took me a while to figure that out, until I realized what was going on:

Port 135 probes are *SO* prevalent that *every single* submission to DShield
has at least one or two dozen (I know my laptop gets several an hour).  So what
that's *REALLY* measuring is "How many DShield sites have made any sort of
report that day" - the "number of targets" is approximately "number of sensors
active today".

Take a look at the "sources" line instead....

PGP signature

References:
- Re: [Full-Disclosure] DCOM
  - From: Joey <joey2cool@yahoo.com>

Prev by Date: RE: [Full-Disclosure] DDoS on the 16th - Fail if no DNS resolution?
Next by Date: Re: [Full-Disclosure] Windows Dcom Worm Killer and source code
Prev by thread: Re: [Full-Disclosure] DCOM
Next by thread: Re: [Full-Disclosure] DCOM
Index(es):
- Date
- Thread