[Snort-users] Linux worm: stuff.tgz, CHAOS/TXT
ian at ...686...
Sat Jun 23 16:57:27 EDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
Is this something that has been around for a while? There is a worm
spreading via bind (suprise!) which scans for victims using CHAOS/TXT
queries. After finding and compromising the victim it establishes a
webserver on tcp port 12321 on the victim to serve files to future victims.
I checked my packet dumps and found several infected hosts.
If you want to poke at it, the following hosts is currently up, but I did
notify the whois contact.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.
-----END PGP SIGNATURE-----
More information about the Snort-users