[linux-elitists] Worm, etc.
Sat Jan 25 16:43:40 PST 2003
> Message: 2
> Date: Sat, 25 Jan 2003 01:16:43 -0500
> From: Modus Operandi <email@example.com>
> To: /dev/random <firstname.lastname@example.org>
> Subject: [linux-elitists] Re: [worldofwrong] Fwd: Dept. of Homeland Security Web site Launched
> That's the real Department of Homeland Security ... and like I
> said, there's not a happy penguin in the bunch.
Looks like they might have realised they screwed up.
lynx -head dhs.gov shows:
HTTP/1.0 302 Moved
And the netcraft site shows it switched from being win2k to Linux
today. Probably the worm got the win2k box.
As for the worm: I noticed the net got slow. I added the LOG module
to iptables, and am not getting packets to 1434, but I did notice
interesting things of the form below. Looks like the reports about
M$ clients cheating on TCP may be valid.
Jan 25 18:10:18 [kernel] SRC=18.104.22.168 DST=22.214.171.124 LEN=475
TOS=0x00 PREC=0x00 TTL=64 ID=60622 DF PROTO=TCP SPT=6346 DPT=3079
SEQ=3892381393 ACK=1248431172 WINDOW=11520 RES=0x00 ACK PSH URGP=0 OPT
(0101080A019B47C402FBD6FC) ip_conntrack_tcp: INVALID: Out of window
data; (S)ACK is over the upper bound (ACKed data has never seen yet)
Jim Bray <email@example.com>
More information about the linux-elitists