[Snort-users] Ramen Worm.......got packets?
austad at ...432...
Thu Jan 18 17:44:00 EST 2001
If you do a search through your snort logs or database for "Synscan", grab
the source IP's, and see if port 27374 is open on the remote host. If so,
it has the ramen worm. 1 out of 3 source IP's I tested today had it, I
emailed the admins of the domain (sfsu.edu).
I'm sure the number of hosts infected will only increase. How long do you
think it will be before someone turns it into a DDoS tool that propagates
itself or into a worm that finds 2 more hosts to propagate to before doing a
"rm -rf /*".
> -----Original Message-----
> From: Dr SuSE [mailto:drsuse at ...748...]
> Sent: Thursday, January 18, 2001 3:57 AM
> To: Max Vision; Dr SuSE; Snort Users
> Subject: Re: [Snort-users] Ramen Worm.......got packets?
> "Rip Van Winkle's arachNIDS"
> Cool deal.
> > I've got a full writeup with complete packet traces and
> better signatures
> > coming, started on it last night but (silly human) fell
> asleep. I wake up
> > and see it's already all over the press and there isn't
> much in the way of
> > detailed information available yet. Since multiple people
> sent me the
> > worm I have a feeling that it's pretty widespread so I will
> very likely
> > post it along with my other materials later today.
> > On Thu, 18 Jan 2001, Dr SuSE wrote:
> > > I was just wondering if anyone was able to get a complete
> packet trace of
> > > Ramen worm?
> > >
> > > I saw the post about the Ramen worm rules but if I
> remember correctly the
> > > author didnt have the packet contents or a complete trace.
> > >
> Microsoft ist nicht installiert.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
More information about the Snort-users