RE: Nimda Infections

["Reilly" <reilly () speakeasy org>]

Well, I have to say that it is disappointing.  Not only in the fact that
these people don't clean their systems, but that this is one of the few
things that I see.  Most of my system logs are full of ONLY worm attacks.  I
don't even get that many newbie vuln scans.  I get about 10 of them a YEAR!
My company is Fortune 500 and this is all I get.  I guess I should count my
blessings but it does beg the question of "where is the REAL Inet fear?"

I've seen a lot of postings to this group about attacks, however, most of
them are pretty basic and there's not that many of them.  I hate to nullify
the security vendor's fear tactics but I don't see that much on a day to day
basis.  Am I alone?


-----Original Message-----
From: Chip McClure [mailto:vhm3 () hades dnsalias net]
Sent: Monday, November 12, 2001 4:55 PM
To: reilly () speakeasy net
Cc: incidents () securityfocus com
Subject: Re: Nimda Infections


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No, you're not alone. I'm on the 24.x subnet, and I still get a ton of
them banging away on my BSD box. On some of the class C's that I admin, I
have seen a decrease, substantial, but not dramtic, on some of the 206.x &
216.x subnets.

It's really frustrating, and aggrivating, to watch the amount of hist
coming in, over & over from the same group of clients. I've been tempted
to send the list to my ISP, but have held my patience for now. A lot of
what I've read, is total ignorance on the users part - most don't even
know that they're running a web server. I know, it is ignorance, but they
should have some common sense, or mild technical abilities to see what is
going on in their machine.

Chip

- -----
Chip McClure
Sr. Unix Administrator
GigGuardian, Inc.

http://www.gigguardian.com/
- -----

On Mon, 12 Nov 2001 reilly () speakeasy net wrote:

> It's amazing to me when I see the amount of systems still infected with
Nimda.  In today's logs I see a huge amount of systems in the ATT network
that are still banging away.  I can't even give you the amount of systems
that I'm seeing from China.  What is so difficult about patching your system
against the .hta, .htq vuln.  I don't mean to go off on a rant but am I the
only one that feels this way?  Is everyone else seeing the same activity?
> AT&T
> 12.101.62.4
> 12.102.47.51
> 12.103.156.10
> 12.103.159.94
> 12.64.128.3
> 12.64.134.199
> 12.72.139.96
> 12.73.5.135
> 12.74.161.194
> 12.75.41.165
> 12.77.146.214
> 12.77.148.241
> 12.77.151.250
> 12.78.144.115
> 12.81.109.130
> 12.81.120.25
> 12.81.163.216
> 12.81.2.240
> 12.83.81.182
> 12.83.83.74
> 12.84.96.198
> 12.87.145.155
> 12.88.161.248
> 12.88.173.180
> 12.89.165.130
> 12.91.118.157
> 12.98.144.18
> 12.99.178.250
> 12.99.179.10
> 12.99.28.7
> 12.99.94.158
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBO/BvfIxq/3tb9j7EEQK7VACfUZTKKwLdP6zh/cwrYH6rxAbVvEIAoLaG
woMnxi4PV60J+XwrhvOllDTD
=lg18
-----END PGP SIGNATURE-----




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com