'Re: Repository of virus/worm propagation methods?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: Repository of virus/worm propagation methods?
From:       Vinicius Moreira Mello <vinicius () lineone ! net>
Date:       2003-09-30 23:33:48
[Download RAW message or body]

Alavan,

	Are these continous or you got just once? I don't consider, at first, 
them as worms because 8/0 is icmp echo-reply, that comes(?) from your(?) 
network to the Internet. And the second are icmp destination-unreachable 
that also comes from your network to the Internet. Possibly, your 
machines are just replying worm "queries". And remember, you're an ISP, 
blocking icmp, mainly these two is not a good thing (if I were an user I 
wouldn't like).

--
Vinicius


Alavan wrote:
> Hello,
> 
> Is there a site that lists how all these virus/worms replicate? 
> Specifically, as a SysAdmin of a small ISP I see patterns of traffic and 
> would like to be able to identify them to help the user clean their 
> machine. For instance, one user's machine is doing this:
> 
> 09-28-2003    20:52:51    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0002.3f92.3fb4) -> 211.250.128.84 (8/0), 1 packet
> 09-28-2003    20:52:50    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0002.3f92.3fb4) -> 218.14.178.79 (8/0), 1 packet
> 09-28-2003    20:52:49    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0002.3f92.3fb4) -> 220.163.35.8 (8/0), 1 packet
> 09-28-2003    20:52:47    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0002.3f92.3fb4) -> 210.41.241.164 (8/0), 1 packet
> 09-28-2003    20:52:47    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0002.3f92.3fb4) -> 61.234.104.60 (8/0), 1 packet
> 
> And yet another is doing this:
> 
> 09-29-2003    09:29:14    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0050.bac6.e91a) -> 130.49.75.16 (3/3), 2 packets
> 09-29-2003    09:29:10    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0050.bac6.e91a) -> 24.126.252.20 (3/3), 1 packet
> 09-29-2003    09:29:05    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0050.bac6.e91a) -> 128.230.232.160 (3/3), 2 packets
> 09-29-2003    09:29:01    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0050.bac6.e91a) -> 160.39.195.157 (3/3), 2 packets
> 09-29-2003    09:28:58    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0050.bac6.e91a) -> 24.191.211.236 (3/3), 2 packets
> 09-29-2003    09:28:52    list 111 denied icmp 67.98.xxx.xxx 
> (FastEthernet0 0050.bac6.e91a) -> 24.26.255.231 (3/3), 2 packets


---------------------------------------------------------------------------
----------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic