[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Sasser skips 10.x.x.x Why?
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Sasser skips 10.x.x.x Why?
- From: Rodrigo Barbosa <rodrigob@xxxxxxxxxxxxxxx>
- Date: Mon, 3 May 2004 18:52:57 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have several cases of machines on 172.18.X.X networks infecting
each other.
On Mon, May 03, 2004 at 12:44:31PM -0700, Eric Chien wrote:
> Actually, it is all variants (.A - .D). And more
> specifically, it iterates through all the host IP
> addresses looking for an address that does not match:
> 127.0.0.1
> 10.
> 172.16 - 172.31 (inclusive)
> 192.168.
> 169.254
>
> Then, using this address it creates a random address
> (sometimes changing all octets, sometimes just the
> last three, and sometimes just the last two).
>
> ...Eric
>
> --- Shawn Cox <shawn.cox@xxxxxxxx> wrote:
> > It appears that only .D skips private ranges. I
> > incorrectly assumed that
> > the original would do the same.
> >
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.D&VSect=T
> >
> > --Shawn
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
- --
Rodrigo Barbosa <rodrigob@xxxxxxxxxxxxxxx>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAlr84pdyWzQ5b5ckRArQnAKCF+8d9s9yRKige5HM4yHlzs+gFEACgjylU
yCiXhCxRPNpFFVkU2/QnCHI=
=e9Ce
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html