http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
This goes after the worm AND the hole, kills and closes it, but ping rates are now WAY above normal.
Note the address localization:
The worm will select the victim IP address in two different ways. It will either use A.B.0.0 from the infected machine's IP of A.B.C.D and count up, or it will construct a random IP address based on some hard-coded addresses. After selecting the start address, it will count up through a range of Class C sized networks, for example, if it starts at A.B.0.0, it will count up to at least A.B.255.255.
Once it gets close to you, (from one random hit) things start getting worse quickly!
My firewall log is getting blasted!
This goes after the worm AND the hole, kills and closes it, but ping rates are now WAY above normal.
Note the address localization:
The worm will select the victim IP address in two different ways. It will either use A.B.0.0 from the infected machine's IP of A.B.C.D and count up, or it will construct a random IP address based on some hard-coded addresses. After selecting the start address, it will count up through a range of Class C sized networks, for example, if it starts at A.B.0.0, it will count up to at least A.B.255.255.
Once it gets close to you, (from one random hit) things start getting worse quickly!
My firewall log is getting blasted!
) running IPCop 1.30. In 5hrs yesterday, I got 1678 login attempts from 2 sites in China. Got 557 attampts the day before. In first 20min today, I already have 94 login attempts from the same 2 Chinese sites.