[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Re: BlackWorm: 2 million infected? ISP notifications.
- To: TheGesus <thegesus@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Re: BlackWorm: 2 million infected? ISP notifications.
- From: Top Secret Battle squad <topsecretbattlesquad@xxxxxxxxx>
- Date: Wed, 25 Jan 2006 22:28:43 -0600
On 1/25/06, TheGesus <thegesus@xxxxxxxxx> wrote:
> On 1/25/06, Top Secret Battle squad <topsecretbattlesquad@xxxxxxxxx> wrote:
> > >A new list of IP's that hit the (still secret) counter address is being
> > >compiled, so we can make another run of ISP notifications.
> >
> > You mean this address? :
> >
> >
> > http://webstats.web.rcn.net/cgi-bin/Count.cgi?df=765247
> >
> > It's only been in the Symantec description this whole time as:
> >
> > [http://]webstats.web.rcn.net/[REMOVED]/Count.cgi?df=765247
> >
>
> 3 million now. hehe
>
> Is it just me or is this whole thing getting overblown?
>
Undoubtably. There is simply no way that something with such a dumb
vector for spreading is infecting hosts so quickly.
It was at about 600k when I first took a look at the counter, and
bumping up by 5 or 10 in the time it took me to read the number and
hit reload. Earlier today it was bumping by a few hundred each time,
and it's about the same rate now. I know that as more hosts get
compromised, it should spread faster, but it really seems more like
some guys with scripts are having a good laugh.
Also, this counter script is pretty common, for those of you playing
around with options. You can find a list of options and source code
out there if you just look. If you don't want to contribute to the
count when you poke it, for example, use incr=F.
Love,
The Top Secret Battle Squad
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/