Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Nimda probes from way off IP addresses

From: "Steve Cody" <security () gulbrandsen com>
Date: Fri, 21 Sep 2001 14:20:52 -0400
It has been my understanding that the Nimda probes to web servers were
always from nearby IP address blocks.  I was reviewing the history of
the scans on my apache server and noticed something strange with the
addresses.

My address is in 216.x.x.x.  I received probes from 468 unique IP's.
The probes to my web server started at 18/Sep/2001:09:24:22 EST, and
they continue until this hour, and have yet to cease.

Breakdown:

205.x.x.x - 1 Host
206.x.x.x - 1 Host
207.x.x.x - 2 Hosts
208.x.x.x - 1 Host
209.x.x.x - 3 Hosts
216.x.x.x - 457 Hosts
63.x.x.x - 1 Host
64.x.x.x - 1 Host
65.x.x.x - 1 Host

Why the probes from the 63, 64, 65 blocks?  Their signature definitely
appears to be Nimda.

Can someone explain?

Thanks,
Steve Cody


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: