[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Reverse http traffic revisited

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Reverse http traffic revisited
From: George Adamopoulos <zen32689@zen.co.uk>
Date: Mon, 19 Jan 2004 17:40:31 +0000

On 18 Jan 2004 01:12:17 -0800
"Daniel H. Renner" <dan@losangelescomputerhelp.com> wrote:

> ICMP PING CyberKit 2.2 Windows

This is how snort detects blaster's/nachi's attempts to ping an IP in order to 
check if it's alive, before trying to connect to port 80. Could be another 
variation of the blaster worm.I would check (Also snort may detect Cyberkit's 
2.2 packets as well, but i suppose that is something you would know of). If the 
packets are incoming, it is a normal thing that i witness in snort's logs as 
well very often. Actually, i have removed the rule from snort's rulesets, 
because it used to fill my logs with cyberkit attempts :P. If it is outgoing 
traffic, i would suggest that you should run trend's housecall (free online 
antivirus) on the windows servers/workstations of your network.

Also... gateway.dll is because of msn chat. If you add a deny acl for 
gateway.dll in your squid.conf, your workstations won't be able to use msn chat 
any more.

Giorgos Adamopoulos

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Reverse http traffic revisited
  - From: "Daniel H. Renner" <dan@losangelescomputerhelp.com>

Prev by Date: Re: [Full-Disclosure] Yet another version of a worm mass mail? (Paypal.com new year offer)
Next by Date: [Full-Disclosure] [ESA-20040119-002] 'tcpdump' multiple vulnerabilities.
Previous by thread: [Full-Disclosure] Reverse http traffic revisited
Next by thread: [Full-Disclosure] new outbreak warning - Bagle
Index(es):
- Date
- Thread