DoS from 127.0.0.1
We have received log files of a reported DoS attack with a source address of 127.0.0.1 (loopback). The packets were TCP resets (RST) with a source port of 80 and destination port between 1000-2000. No data was contained in the packets. After analysis, these packets appear to be fall-out from the Blaster worm. If service providers or network administrators changed the windowsupdate.com address to resolve to 127.0.0.1, a host infected with Blaster will attempt to perform a DoS against itself (127.0.0.1). The problem with this approach is that the worm spoofs the source address before sending the packet. When the infected machine's TCP/IP stack receives the packet (TCP 80 SYN request), it attempts to respond to the spoofed source IP address with TCP RST. The spoofed IP addresses are a random number based on the machine's CLASS B address. If you have identified such behavior on your network, you can attempt to trace the infected machine by MAC address. And send us some logs of the activity so we can compare your incident to the others we have received. More information on the Blaster worm can be found at your favorite anti-virus site. ------------------------------------------------------------------------ Server compromise at gnome.org The GNOME project suspects a compromise on several servers. GNOME is an open-source project that provides UNIX and Linux desktop similar to the KDE desktop environment. It appears that no source code or distribution files were modified. Source: http://mail.gnome.org/archives/gnome-announce-list/2004-March/msg00113.html "We've discovered evidence of an intrusion on the server hosting www.gnome.org and other gnome.org websites. At the present time, we think that the released gnome sources and the gnome source code repository are unaffected. We are investigating further and will provide updates as we know more. We hope to have the essential services hosted on the affected machine up and running again as soon as possible. The GNOME sysadmin team 23 March 2003" A follow-up e-mail was posted to the GNOME mailing list that shows they are making fast progress in restoring the services on these machines: http://mail.gnome.org/archives/gnome-announce-list/2004-March/msg00113.html ------------------------------------------------------------------------ Netsky.P still spreading The Netsky.P virus/worm is still spreading according to antivirus sites and we continue to see it in our mailboxes. One of the possible e-mail messages it sends contains a FROM: address of well-known anti-virus companies and the following message: The sample file you sent contains a new virus version of mydoom.j. Please clean your system with the attached signature. Sincerly, Robert Ferrew It may also append the following text, substituting any popular anti- virus company name: +++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com [EOF] |
Handlers 76 Posts Mar 28th 2004 |
Thread locked Subscribe |
Mar 28th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!