Someone have developed nasl for probing Slapper_Worm??
Detecting Apache/mod_ssl worm activity on the network
Infected systems are readily identifiable on a network by the following
traffic characteristics:
Probing -- Scanning on 80/tcp
Propagation -- Connections to 443/tcp
DDoS -- Transmitting or receiving datagrams with both source and
destination ports 1978/udp, 2002/udp, or 4156/udp. This traffic is used
as a communications channel between infected systems to coordinate
attacks on other sites.
Backdoor ("B" variant only) -- Listening on 1052/tcp.
Additionally, infected hosts that are actively participating in DDoS
attacks against other systems may generate unusually high volumes of
attack traffic using various protocols (e.g., TCP, UDP, ICMP)
http://www.cert.org/advisories/CA-2002-27.html
Detecting Apache/mod_ssl worm activity on the network
Infected systems are readily identifiable on a network by the following
traffic characteristics:
Probing -- Scanning on 80/tcp
Propagation -- Connections to 443/tcp
DDoS -- Transmitting or receiving datagrams with both source and
destination ports 1978/udp, 2002/udp, or 4156/udp. This traffic is used
as a communications channel between infected systems to coordinate
attacks on other sites.
Backdoor ("B" variant only) -- Listening on 1052/tcp.
Additionally, infected hosts that are actively participating in DDoS
attacks against other systems may generate unusually high volumes of
attack traffic using various protocols (e.g., TCP, UDP, ICMP)
http://www.cert.org/advisories/CA-2002-27.html