RE: Nimda Infections

[Neil Dickey <neil () geol niu edu>]

My network is a relatively small one, in the scheme of things, but
I have noticed that the distribution of nimda hits is not uniform
on all the machines.  Those I have most to do with are unix boxes,
and those which aren't running webservers have the web ports locked
off at the firewall.  All of my machines but one, including both
webservers, get nimda hits at the rate of one or two, maybe three,
unique sources per day.  The remaining box gets a hit every six
minutes or so from source IPs all over the world, and has more or
less since the outbreak began.  ( I did the math, and that's the
actual frequency. )  At one point I opened port 80 and used netcat
to see that they were sending.  It is in fact nimda.

There must be something non-random in the IP address generator that
nimda uses, such that the address of this particular box pops out
rather more than I could wish for.  They can't get in because the
ports are blocked and it's the wrong OS, but my logs get huge and
other traffic is obscured by the noise.

By they way, I noticed yesterday that someone seems to be trying to
get CodeRed1 going again.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com