[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dshield
Subject:    Re: [Dshield] Veritas Backup Exec Scanning
From:       Blake McNeill <mcneillb () linklogger ! com>
Date:       2005-06-30 5:30:24
Message-ID: 0IIV00DB9TYU9T () l-daemon
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


PortPeeker capture of the attack attempt at
http://www.linklogger.com/TCP10000Capture.htm

Seeing more and more of these.

Blake

-----Original Message-----
From: list-bounces@lists.dshield.org [mailto:list-bounces@lists.dshield.org]
On Behalf Of TRushing@hollandco.com
Sent: Monday, June 27, 2005 9:55 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Veritas Backup Exec Scanning

What I find particularly interesting in looking at the Dshield port 
history for the Veritas vulnerabilitiy

http://www.dshield.org/port_report.php?port=10000&recax=1&tarax=2&srcax=2&pe
rcent=N&days=40&Redraw=

is that for the most part, targets are in the double (and sometimes 
triple) digits until the scans began to pick up after the notice came out 
late last week.

However, on 28 May, there are 25 source machines scanning nearly 50,000 
hosts.  That really stands out.  I imagine that it would be easy for 
Johannes or someone to look at those 25 source ips and determine whether 
that was the vendor or discoverer checking to see how widespread the 
problem was or if it was something else.  If we do end up with a worm out 
of this, I imagine those 25 addresses should get some closer scrutiny.

Tim Rushing
The Holland Company

_______________________________________________
send all posts to list@lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_______________________________________________
send all posts to list@lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


[prev in list] [next in list] [prev in thread] [next in thread]