[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser
- To: Thomas Springer <tuevsec@xxxxxxx>
- Subject: Re: [Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser
- From: Jordan Wiens <jwiens@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 5 May 2004 11:46:25 -0400 (EDT)
It's random, but doesn't matter what it is. So it'll work with any
number; 7584 sounds just as good as any other 4 digit number. His script
is meant to download from sasser, and it will, just fine.
If the script was using that as a pattern to match on in some sort of ids
then, yes, it wouldn't be very effective, but that's not what it's trying
to do.
--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061
On Wed, 5 May 2004, Thomas Springer wrote:
> RTFM - the 4digit-number mentioned is random. maybe it'll help to
> expand your script to try 9999 combinations or scan 10.000 infected
> hosts. It shouldn't be much of a problem to find them - we still
> experience >50 different sasser-ips per second hammering our firewall.
>
> tom
>
> RandallM wrote:
>
> > <|>---------ftp_commands------
> > <|>open <infected m/c IP> 5554
> > <|>anonymous
> > <|>user
> > <|>bin
> > <|>get 7584_up.exe
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html