SANS ISC: DoS from 127.0.0.1; Server compromise at gnome.org; Netsky.P still spreading - Internet Security | DShield

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

DoS from 127.0.0.1

We have received log files of a reported DoS attack with a source
address of 127.0.0.1 (loopback). The packets were TCP resets (RST) with
a source port of 80 and destination port between 1000-2000. No data was
contained in the packets.

After analysis, these packets appear to be fall-out from the Blaster
worm. If service providers or network administrators changed the
windowsupdate.com address to resolve to 127.0.0.1, a host infected with
Blaster will attempt to perform a DoS against itself (127.0.0.1). The
problem with this approach is that the worm spoofs the source address
before sending the packet. When the infected machine's TCP/IP stack
receives the packet (TCP 80 SYN request), it attempts to respond to the
spoofed source IP address with TCP RST. The spoofed IP addresses are a
random number based on the machine's CLASS B address.

If you have identified such behavior on your network, you can attempt
to trace the infected machine by MAC address. And send us some logs of
the activity so we can compare your incident to the others we have
received.

More information on the Blaster worm can be found at your favorite
anti-virus site.

------------------------------------------------------------------------

Server compromise at gnome.org

The GNOME project suspects a compromise on several servers. GNOME is an
open-source project that provides UNIX and Linux desktop similar to the
KDE desktop environment. It appears that no source code or distribution
files were modified.

Source:
http://mail.gnome.org/archives/gnome-announce-list/2004-March/msg00113.html

"We've discovered evidence of an intrusion on the server hosting
www.gnome.org and other gnome.org websites. At the present time, we
think that the released gnome sources and the gnome source code
repository are unaffected.

We are investigating further and will provide updates as we know more.
We hope to have the essential services hosted on the affected machine
up and running again as soon as possible.

The GNOME sysadmin team
23 March 2003"

A follow-up e-mail was posted to the GNOME mailing list that shows they
are making fast progress in restoring the services on these machines:
http://mail.gnome.org/archives/gnome-announce-list/2004-March/msg00113.html

------------------------------------------------------------------------

Netsky.P still spreading

The Netsky.P virus/worm is still spreading according to antivirus sites
and we continue to see it in our mailboxes. One of the possible e-mail
messages it sends contains a FROM: address of well-known anti-virus
companies and the following message:

The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Sincerly,
Robert Ferrew

It may also append the following text, substituting any popular anti-
virus company name:
+++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com

[EOF]