Security Incidents mailing list archives
RE: Increased IIS scans mainly on 66.0.0.0/8 - Update
From: Russell Fulton <r.fulton () auckland ac nz>
Date: 20 Aug 2002 09:27:17 +1200
On Tue, 2002-08-20 at 03:19, Richard Gilman wrote:
I did a query of the WEB-IIS cmd.exe access alerts for 8/15 on our 66.0.0.0/8 network and I see 31 sources each send in multiples of 13 attempts. Of the 31 hosts, 3 sources were not from 66/8.
These sound like standard nimda, which scans its /8 more heavily than the rest of the net (except for the /16 which gets even more intensive scanning) -- I forget the exact proportions. One of those
was from wanadoo.fr with 130 hits. The hits can come as fast as 2 per second, so I assume that it has to be scripted.
There are many scripted attacks that are being used by kiddies. Last night someone when through a bunch of our IIS servers delivering around 10,000 probes against 20 different web servers over about 90 minutes. At the same time another IIS server got hit by 70 probes. This is only an
annoyance and does not do anything more that make noise in my logs, but I think it is some sort of worm because of the fact they all send in multiples of 13 and it seems that the odds of having 31 script kiddies
As I said above I think that the 13 probes are almost certainly nimda or a close variant. Nimda normally delivers 14 unicode probes and one probe for root.exe. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Increased IIS scans mainly on 66.0.0.0/8 - Update Richard Gilman (Aug 19)
- RE: Increased IIS scans mainly on 66.0.0.0/8 - Update Russell Fulton (Aug 20)
- <Possible follow-ups>
- RE: Increased IIS scans mainly on 66.0.0.0/8 - Update Richard Gilman (Aug 20)