Security Incidents mailing list archives
RE: Nimda Infections
From: Neil Dickey <neil () geol niu edu>
Date: Tue, 13 Nov 2001 11:03:12 -0600 (CST)
My network is a relatively small one, in the scheme of things, but I have noticed that the distribution of nimda hits is not uniform on all the machines. Those I have most to do with are unix boxes, and those which aren't running webservers have the web ports locked off at the firewall. All of my machines but one, including both webservers, get nimda hits at the rate of one or two, maybe three, unique sources per day. The remaining box gets a hit every six minutes or so from source IPs all over the world, and has more or less since the outbreak began. ( I did the math, and that's the actual frequency. ) At one point I opened port 80 and used netcat to see that they were sending. It is in fact nimda. There must be something non-random in the IP address generator that nimda uses, such that the address of this particular box pops out rather more than I could wish for. They can't get in because the ports are blocked and it's the wrong OS, but my logs get huge and other traffic is obscured by the noise. By they way, I noticed yesterday that someone seems to be trying to get CodeRed1 going again. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Nimda Infections reilly (Nov 12)
- <Possible follow-ups>
- RE: Nimda Infections Dial Joe (Nov 13)
- RE: Nimda Infections Jim Harrison (SPG) (Nov 13)
- RE: Nimda Infections Reilly (Nov 13)
- RE: Nimda Infections Ryan Russell (Nov 13)
- RE: Nimda Infections Reilly (Nov 13)
- RE: Nimda Infections Reilly (Nov 13)
- RE: Nimda Infections Reilly (Nov 13)
- RE: Nimda Infections Jim Howard (Nov 13)
- RE: Nimda Infections w1re p4ir (Nov 13)
- RE: Nimda Infections Neil Dickey (Nov 13)
- Nimda Infections and code red resurgence Russell Fulton (Nov 13)