[linux-elitists] Worm, etc.

Jim Bray jb@as220.org
Sat Jan 25 16:43:40 PST 2003


> Message: 2
> Date: Sat, 25 Jan 2003 01:16:43 -0500
> From: Modus Operandi <modus@as220.org>
> To: /dev/random <linux-elitists@zgp.org>
> Subject: [linux-elitists] Re: [worldofwrong] Fwd: Dept. of Homeland Security Web site Launched

>   http://uptime.netcraft.com/up/graph/?mode_u=3Doff&mode_w=3Don&site=3Dwww.=
> dhs.gov&submit=3DExamine
> 
>   That's the real Department of Homeland Security ... and like I
>   said, there's not a happy penguin in the bunch.

  Looks like they might have realised they screwed up.
lynx -head dhs.gov shows:

HTTP/1.0 302 Moved
Temporarily                                                  Server:
AkamaiGHost                                                            
Content-Length:
0                                                              
Location:
http://www.dhs.gov/                                                   

  And the netcraft site shows it switched from being win2k to Linux
today. Probably the worm got the win2k box.

  As for the worm: I noticed the net got slow. I added the LOG module
to iptables, and am not getting packets to 1434, but I did notice
interesting things of the form below. Looks like the reports about
M$ clients cheating on TCP may be valid.


Jan 25 18:10:18 [kernel] SRC=64.222.42.101 DST=140.159.26.211 LEN=475
TOS=0x00 PREC=0x00 TTL=64 ID=60622 DF PROTO=TCP SPT=6346 DPT=3079
SEQ=3892381393 ACK=1248431172 WINDOW=11520 RES=0x00 ACK PSH URGP=0 OPT
(0101080A019B47C402FBD6FC) ip_conntrack_tcp: INVALID: Out of window
data; (S)ACK is over the upper bound (ACKed data has never seen yet)

-- 
Jim Bray <jb@as220.org>



More information about the linux-elitists mailing list