I've never seen it do that, in the about 50 or so instances
I've encountered. Does it only do it occasionally? Does it
attack the same host against which 135/tcp failed, or some
random third party?
(Does it, perhaps, distinguish between 135/tcp "failed to
connect" and 135/tcp "connected, but target was patched and
so could not be infected"?)
David Gillett
> -----Original Message-----
> From: Jose Nazario [mailto:jose (at) monkey (dot) org [email concealed]]
> Sent: November 19, 2003 17:06
> To: Jay D. Dyson
> Cc: Bugtraq
> Subject: Re: Router Worm?
>
>
> its welchia/nachi. when it can't connect via 135/tcp, it will
> attempt an
> exploit against a webdav server (see MS03-007).
>
> i've seen an uptick in this in the past couple of days, too,
> visible on a
> few httpd servers i track. and i, too, was caught off guard
> until someone
> pointed out it was nachi to me. digging into the tech details
> showed that
> i (and many of us) had been overlooking a secondary attack.
>
> ___________________________
> jose nazario, ph.d. jose (at) monkey (dot) org [email concealed]
> http://monkey.org/~jose/
>
I've encountered. Does it only do it occasionally? Does it
attack the same host against which 135/tcp failed, or some
random third party?
(Does it, perhaps, distinguish between 135/tcp "failed to
connect" and 135/tcp "connected, but target was patched and
so could not be infected"?)
David Gillett
> -----Original Message-----
> From: Jose Nazario [mailto:jose (at) monkey (dot) org [email concealed]]
> Sent: November 19, 2003 17:06
> To: Jay D. Dyson
> Cc: Bugtraq
> Subject: Re: Router Worm?
>
>
> its welchia/nachi. when it can't connect via 135/tcp, it will
> attempt an
> exploit against a webdav server (see MS03-007).
>
> i've seen an uptick in this in the past couple of days, too,
> visible on a
> few httpd servers i track. and i, too, was caught off guard
> until someone
> pointed out it was nachi to me. digging into the tech details
> showed that
> i (and many of us) had been overlooking a secondary attack.
>
> ___________________________
> jose nazario, ph.d. jose (at) monkey (dot) org [email concealed]
> http://monkey.org/~jose/
>
[ reply ]