Date: Thu, 27 Dec 2001 22:14:05 -0800 From: "Kutulu" <kutulu@kutulu.org> To: "Peter Ong" <peter@haloflightleader.net>, "Julien B." <jbe@cpu.ath.cx> Cc: <freebsd-stable@FreeBSD.ORG> Subject: Re: Trying NT Hacks Message-ID: <00f501c18f66$da8044c0$88682518@cc191573g> References: <013a01c18f48$f156cf20$0101a8c0@haloflightleader.net> <20011228035757.A99350@harimandir> <018901c18f4c$22402480$0101a8c0@haloflightleader.net>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "Peter Ong" <peter@haloflightleader.net> Sent: Thursday, December 27, 2001 7:02 PM Subject: Re: Trying NT Hacks > Really... I just wonder how they figure out the IPs, other than randomly > guessing. Someone did mention that, and I guess there really aren't that > many IP addresses that a computer could randomly generate in a short amount > of time without covering the whole spectrum. They are scanning. Nimda doesn't just guess IP's, it tries every single IP in the entire subnet. That is, if your IP address is 192.168.45.23 and you are inftected, your machine will loop through trying to connect (and infect) every IP address from 192.168.0.1 to 192.168.255.254. This can be quite time-consuming (especially if many of those IP's are not online, or dropping packets aimed at port 80 without sending a RST). But the worm isn't really concerned about the efficiency of the machine it infected, or the bandwidth it's wasting, so it turns out to be quite an effective way to spread. --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00f501c18f66$da8044c0$88682518>