[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Re: Outbreak of a virus on campus

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Re: Outbreak of a virus on campus
From: "David Hale" <ddh@xxxxxxx>
Date: Sun, 25 Apr 2004 03:04:49 -0400 (EDT)

  Most folks should probably change the sid number to something above
1000000 to comply with snort standards.   My sid number was fairly
random based off the first number that came to my head.

  -Dave Hale
   Sr. Security Specialist
   Michigan Technological University


>   We have currently blocked connections to port to/from 7000 on the
> following hosts:
>
> 130.74.82.206
> 131.234.100.43
> 193.87.20.31
>
>   This seems to have contained the spread of the worm within our campus.
> The list of hosts was gathered with a snort signature of:
>
> alert tcp $HOME_NET any -> any 7000 (msg:"agobot IRC traffic";
> content:"weednet";classtype:bad-unknown; sid:71727; rev:1;)
>
>   Until the block was in place we had shut down around 50 hosts (mainly on
> our dorm network) that had been infected with the worm.
>
>   -Dave Hale
>    Sr. Security Specialist
>    Michigan Technological University
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Re: Outbreak of a virus on campus
  - From: Willem Koenings
- RE: [Full-Disclosure] Re: Outbreak of a virus on campus
  - From: David Hale

Prev by Date: RE: [Full-Disclosure] Firewall solution for Windows 2003 Server
Next by Date: Re: [Full-Disclosure] Firewall solution for Windows 2003 Server
Previous by thread: RE: [Full-Disclosure] Re: Outbreak of a virus on campus
Next by thread: [Full-Disclosure] Gambling machines
Index(es):
- Date
- Thread