Re: Has anyone seen this pattern?

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 19 Oct 2001, VanMeter, John wrote:

> Interesting Pattern... if you look at the below information you can see two
> things.
>       1. All IP address start in the 199.x.x.x 
>       2. the attacks use the same 13 attempted HTTP Attacks and 14
> Suspicious URL
> The only different one was 199.111.x.x which used 26 HTTP Attacks and 26
> Suspicious URL.

        What are the URIs requested?  Based on the request count alone,
I'd suspect it's a bunch of Nimda-infected hosts on the same network.  I
see plenty of them from the Class A I'm on, and even more from the Class B
I'm on.

- -Jay

  (    (                                                         _______
  ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) |    = |-'
 `--' `--'  `- Peace without justice is life without living. -'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO9A8xblDRyqRQ2a9AQGFjQP7BiZqvWlvV+/izf79Ct1Z4twRpv3NUFlv
rg6JizRH/N0zj25j1wNVfMzZrLm+nMmYWi4PQp47WqHdfN6qGJ3as6R41xK+6XDr
uhU9BcdBGCgzASgPhRfVG4SivshEHWCqUulfttKYG5ZbiHM/5qhmynYH3ggNtjZg
oEHjTB0N7ts=
=tUul
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com