Security Incidents mailing list archives

Re: NIMDA has a built in timer? No hits lately

From: Mike Baptiste <mike () msbnetworks net>
Date: Tue, 18 Sep 2001 21:33:14 -0400

I run a TINY setup - grand total of 3 IPs on 64.* and I'm gettinghammered. Since 1PM EST (cable cut this morning :( ), we've seen almost4,400 cmd.exe and 4,300 multiple decode IIS probes and the rate isfairly constant even in the last hour (8-9PM EST) We're seeing hitsfrom about 400 unique IPs so far.


So even on a REALLY small network the amount of probes is impressive.

Mike

Sevo Stille wrote:

David Kennedy CISSP wrote:
-----BEGIN PGP SIGNED MESSAGE-----

I started getting hit @ 13:09:55 UTC this morning.  My sensor have
not been touched since 19:15:10 UTC this afternoon.
Well, in the 212 netblock it is still going on, even though the rate hasbeen approximately halving every hour for the last two hours. The lasthit so far was at 23:48:31 UTC. Originally, about 10% came from all overthe /8 I'm in, but for the last hour, it has been all from my /16.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

NIMDA has a built in timer? No hits lately David Kennedy CISSP (Sep 18)
- Re: NIMDA has a built in timer? No hits lately Sevo Stille (Sep 18)
  - Re: NIMDA has a built in timer? No hits lately Mike Baptiste (Sep 18)
- Re: NIMDA has a built in timer? No hits lately Paul Gear (Sep 18)