Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Yet Another Nimda Thread (YANT)

From: Florian Weimer <Florian.Weimer () RUS Uni-Stuttgart DE>
Date: 21 Sep 2001 23:17:12 +0200
"Portnoy, Gary" <gportnoy () belenosinc com> writes:


I heard there were a few reports of Nimda going completely quiet in certain
netblocks, but none were substantiated.  I haven't seen a single Nimda IIS
exploit attempt since a little before 10 AM (EST).  I checked my IDS, apache
logs, IIS logs -- nothing.  Seems like it went silent.  Still seeing CodeRed
though. Can any one correlate?  I am somewhere in the 12.27 netblock :)


The scanning is certainly not uniformly distributed.  Our IP address
space was hit pretty hard on the 18th and 19th, but some hosts were
targeted only very lightly.  OTOH, we have only a very limited number
of infected machines in the local /16 address range (hmm, possibly up
to /15 or /14), due to massive efforts to get vulnerable IIS servers
off the network, so our data is probably not representative.

-- 
Florian Weimer                    Florian.Weimer () RUS Uni-Stuttgart DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: