Hi! On Mon, Oct 27, 2003 at 18:18 +0200, Michael Vasilenko wrote:
Yury Yaroshevsky (yk@donbass.net) wrote:
On Thu, Oct 23, 2003 at 09:14:31AM +0300, Yury Yaroshevsky wrote:
YY>Может быть кто сталкивался со следующим случаем:
YY>xxxx# sh ip cache flow | inc 127.0.0.1 YY>Et0/0 127.0.0.1 Null 195.184.128.93 06 0050 04EA 1 YY>Et0/0 127.0.0.1 Null 195.184.81.12 06 0050 058D 1 ^^^^^^^^^^^^ т.е. это tcp c src-ip 127.0.0.1 и src-port 80 на соверненно разные dst-ip & dst-port
Так этот трафик с src 127.0.0.1:80 ползает уже месяца два, а то и больше. Правда смысл таких сканов действительно не ясен.
А что это за червь/вирус?
что, таки никто не знает?
http://lists.netsys.com/pipermail/full-disclosure/2003-August/008308.html ------------snip------------ This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1 the following will happen: The worm uses spoofed IPs from the local /16 subnet as source address. Pointing all the syn packets to 127.0.0.1 will generate a RST packet from the local host to the spoofed IPs and spread traffic over the complete internal network. Even blocking or routing the normally resolved IP to Null0 will be a lot work because this domain is loadbalanced through the world. That means you get a different resolution depending on your ISP or place in the world. If you manipulate your DNS, you should give no A-Record back to the worm. With this the worm will not start attacking anything. So setting up a nameserver zone with only a SOA record will do the job for Saturday 0:00. ------------snap------------ =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message