Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - DoS from; Server compromise at; Netsky.P still spreading InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DoS from; Server compromise at; Netsky.P still spreading

Published: 2004-03-25
Last Updated: 2004-03-28 16:10:09 UTC
by Handlers (Version: 1)
0 comment(s)
DoS from

We have received log files of a reported DoS attack with a source
address of (loopback). The packets were TCP resets (RST) with
a source port of 80 and destination port between 1000-2000. No data was
contained in the packets.

After analysis, these packets appear to be fall-out from the Blaster
worm. If service providers or network administrators changed the address to resolve to, a host infected with
Blaster will attempt to perform a DoS against itself ( The
problem with this approach is that the worm spoofs the source address
before sending the packet. When the infected machine's TCP/IP stack
receives the packet (TCP 80 SYN request), it attempts to respond to the
spoofed source IP address with TCP RST. The spoofed IP addresses are a
random number based on the machine's CLASS B address.

If you have identified such behavior on your network, you can attempt
to trace the infected machine by MAC address. And send us some logs of
the activity so we can compare your incident to the others we have

More information on the Blaster worm can be found at your favorite
anti-virus site.


Server compromise at

The GNOME project suspects a compromise on several servers. GNOME is an
open-source project that provides UNIX and Linux desktop similar to the
KDE desktop environment. It appears that no source code or distribution
files were modified.


"We've discovered evidence of an intrusion on the server hosting and other websites. At the present time, we
think that the released gnome sources and the gnome source code
repository are unaffected.

We are investigating further and will provide updates as we know more.
We hope to have the essential services hosted on the affected machine
up and running again as soon as possible.

The GNOME sysadmin team
23 March 2003"

A follow-up e-mail was posted to the GNOME mailing list that shows they
are making fast progress in restoring the services on these machines:


Netsky.P still spreading

The Netsky.P virus/worm is still spreading according to antivirus sites
and we continue to see it in our mailboxes. One of the possible e-mail
messages it sends contains a FROM: address of well-known anti-virus
companies and the following message:

The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Robert Ferrew

It may also append the following text, substituting any popular anti-
virus company name:
+++ Attachment: No Virus found +++ MC-Afee AntiVirus -

0 comment(s)
Diary Archives