[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-Disclosure] Wanted: Sasser executable and derivatives
From: Steve Kudlak <chromazine () sbcglobal ! net>
Date: 2004-06-29 1:38:25
Message-ID: 40E0C811.1090102 () sbcglobal ! net
[Download RAW message or body]
I look at what my antivirus things catch and what sentinare catches on
my formal account. Sentinare is pretty good with all this stuff. I have
not seen Sasser. I have seen Swen and BAGLE and IRCBOT.
The IRCBots stopped when I turnd off sharing on pretty much everything.
I was sharing files between my main Win2k machine and the virtua;
Red Hat Linux I have been working with.
Have Fun,
Sends Steve
James Riden wrote:
>Syke <syke@mantissecurity.net> writes:
>
>
>
>
>> Wouldn't it be easier to use honeyd(www.honeyd.org) with an LSASS or
>>mydoom script? That way you can just check the logs for the binaries
>>that were uploaded?
>>
>>
>
>Yes, because you'll get an awful lot more than Sasser if you put an
>unpatched Win32 machine on the 'net. Even if you just leave off the
>MS04-011 patch, you could get other things, such as Korgo and Agobot
>variants IIRC.
>
>cheers,
> Jamie
>
>
[Attachment #3 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
I look at what my antivirus things catch and what sentinare catches on<br>
my formal account. Sentinare is pretty good with all this stuff. I have<br>
not seen Sasser. I have seen Swen and BAGLE and IRCBOT.<br>
The IRCBots stopped when I turnd off sharing on pretty much everything.<br>
I was sharing files between my main Win2k machine and the virtua;<br>
Red Hat Linux I have been working with.<br>
<br>
Have Fun,<br>
Sends Steve<br>
<br>
<br>
James Riden wrote:<br>
<blockquote type="cite" cite="mid87zn6o8auw.fsf@it029205.massey.ac.nz">
<pre wrap="">Syke <a class="moz-txt-link-rfc2396E" \
href="mailto:syke@mantissecurity.net"><syke@mantissecurity.net></a> writes:
</pre>
<blockquote type="cite">
<pre wrap=""> Wouldn't it be easier to use honeyd(<a class="moz-txt-link-abbreviated" \
href="http://www.honeyd.org">www.honeyd.org</a>) with an LSASS or mydoom script? That way you \
can just check the logs for the binaries that were uploaded?
</pre>
</blockquote>
<pre wrap=""><!---->
Yes, because you'll get an awful lot more than Sasser if you put an
unpatched Win32 machine on the 'net. Even if you just leave off the
MS04-011 patch, you could get other things, such as Korgo and Agobot
variants IIRC.
cheers,
Jamie
</pre>
</blockquote>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic