×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

W32/Welchia Worm/Nachi Worm

Unanswered Question
anthall Mon, 08/18/2003 - 13:19
User Badges:
  • Cisco Employee,

The new Nachi worm uses the same vulnerability as the MSBlaster worm. Signature 3327 detects both attacks, it was written to detect the vulnerability not the specific worm.

seth.leone Thu, 09/04/2003 - 08:35
User Badges:

Hi,


Im seeing the 3327, and 3328, and 2100s etc...but im NOT seeing the WebDAV exploit triggered by NACHI worm and I know its happening cause I correleate the 2100's and 3327/8 sigs to the same destination IPs(some internet respsonse due to increased Port80 scanning.


Is anyone else picking up the NachiaWorm port 80 SYN (WEbDAV exploit) activity with a Cisco Sig (5364 or 5365)???


thx

Actions

This Discussion