I found a worm! - Journal of Omnifarious
Dec. 18th, 2002
08:30 pm - I found a worm!
I'm so proud of myself.
I completely redid the two most important computers on my network, my firewall and the main server box. When I redid my firewall, I was much more careful about how I structured the filtering rules. Since I was more careful, I was able to cordon off some anomolous behavior as being indicative of an attack, so I arranged to log incoming packets that looked like they might be part of an attack.
As soon as I got the ruleset all squared away and reconnected to the Internet, I started seeing the logging rules activated. Over the next few hours, I logged several things that looked like people probing my network in preparation for an attack, and these attempts followed some patterns. This worried me, so I sent the logs to Visi, my ISP, and asked them if it was a new worm, or just some tool commonly used by script kiddies that left a distinctive signature.
They did some research (which I wouldn't have had time to do), and discovered that I had noticed Iraqiworm just as it had started stampeding across the Internet, infecting poorly configured Windows XP and Windows 2000 computers.
So, I didn't actually figure out which worm it was, but I did notice that it looked like a worm. I must say that the fine folks at Visi are wonderful and helpful people.