Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Nimda Probes by Hour

From: Bryan Andersen <bryan () visi com>
Date: Wed, 19 Sep 2001 14:48:33 -0500
Breakdown by hour sofar by hour (TZ=-500)
/16, /8, /0 are probes for:
  "GET /MSADC/root.exe?/c+dir HTTP/1.0"
which is one of the probes the nimda worm is using.

                     net
dd/mmm/yyyy:hh  ida  /16  /8   /0
--------------  ---  ---  ---  ---
18/Sep/2001:08   0     8   15   15
18/Sep/2001:09   0    12   17   18
18/Sep/2001:10   1    16   18   18
18/Sep/2001:11   0    17   25   25
18/Sep/2001:12   2    15   27   27
18/Sep/2001:13   0    11   20   20
18/Sep/2001:14   2     6   13   13
18/Sep/2001:15   2     3   11   11
18/Sep/2001:16   0     3   11   11
18/Sep/2001:17   2     8   18   18
18/Sep/2001:18   3     9   20   21
18/Sep/2001:19   0     6   23   23
18/Sep/2001:20   1     3   15   15
18/Sep/2001:21   0     8   20   21
18/Sep/2001:22   1     9   20   21
18/Sep/2001:23   1     8   19   19
19/Sep/2001:00   1     8   11   11
19/Sep/2001:01   1    14   26   26
19/Sep/2001:02   0    14   28   30
19/Sep/2001:03   1     3   12   12
19/Sep/2001:04   1    10   14   14
19/Sep/2001:05   0    10   15   15
19/Sep/2001:06   1    11   16   16
19/Sep/2001:07   1     9   14   14
19/Sep/2001:08   0    10   16   17
19/Sep/2001:09   0     4    6    7
19/Sep/2001:10   0     1    2    2
19/Sep/2001:11   1     3    5    6
19/Sep/2001:12   0     2    4    4
19/Sep/2001:13   0     7   10   10

I wrote a quick and dirty shell script to get counts by hour.  
I've placed a copy at:

    http://www.nerdvest.com/security/get-times.bash

I originally wrote the script to search for .ida counts by day 
and have extended it for .exe counts by hour.  It expects standard 
Apache log file format and uses simple greps and word counts to do 
it's work.  It was developed on an OpenBSD system with the bash 
shell added.  The output format is different than above.  There 
are a few lines that would need customization for your site.


-- 
|  Bryan Andersen   |   bryan () visi com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: