Security Incidents mailing list archives
Re: Has anyone seen this pattern?
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Fri, 19 Oct 2001 08:46:25 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- On Fri, 19 Oct 2001, VanMeter, John wrote:
Interesting Pattern... if you look at the below information you can see two things. 1. All IP address start in the 199.x.x.x 2. the attacks use the same 13 attempted HTTP Attacks and 14 Suspicious URL The only different one was 199.111.x.x which used 26 HTTP Attacks and 26 Suspicious URL.
What are the URIs requested? Based on the request count alone, I'd suspect it's a bunch of Nimda-infected hosts on the same network. I see plenty of them from the Class A I'm on, and even more from the Class B I'm on. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee."-. >====<--. C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) | = |-' `--' `--' `- Peace without justice is life without living. -' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO9A8xblDRyqRQ2a9AQGFjQP7BiZqvWlvV+/izf79Ct1Z4twRpv3NUFlv rg6JizRH/N0zj25j1wNVfMzZrLm+nMmYWi4PQp47WqHdfN6qGJ3as6R41xK+6XDr uhU9BcdBGCgzASgPhRfVG4SivshEHWCqUulfttKYG5ZbiHM/5qhmynYH3ggNtjZg oEHjTB0N7ts= =tUul -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Has anyone seen this pattern? VanMeter, John (Oct 19)
- Re: Has anyone seen this pattern? Jay D. Dyson (Oct 19)