Security Incidents mailing list archives
Re: Yet Another Nimda Thread (YANT)
From: Tracey Losco <tal1 () acf3 nyu edu>
Date: Fri, 21 Sep 2001 13:43:56 -0400
Are you asking whether anyone has seen a lack of the scans in their own netblock (ie: 128.122), or in everything inclusive of that netblock (ie: 128)?
I found a really cool script from this guy Bryan Andersen on one of the newsgroups, that tests for how many pokes you've seen from the Nimda worm, and as of 2:00pm yesterday, I haven't seen any from inside our own. See below:
Column i represents .ida requests on our network, column /16 is our network representing a Nimda file request and you know the rest from there.
20/Sep/2001:14 i 1 /16 0 /8 2 /0 2 20/Sep/2001:15 i 0 /16 0 /8 1 /0 1 20/Sep/2001:16 i 0 /16 0 /8 0 /0 0 20/Sep/2001:17 i 1 /16 0 /8 0 /0 0 20/Sep/2001:18 i 1 /16 0 /8 1 /0 1 20/Sep/2001:19 i 0 /16 0 /8 0 /0 0 20/Sep/2001:20 i 0 /16 0 /8 0 /0 1 20/Sep/2001:21 i 0 /16 0 /8 0 /0 2 20/Sep/2001:22 i 0 /16 0 /8 0 /0 0 20/Sep/2001:23 i 1 /16 0 /8 0 /0 2 21/Sep/2001:00 i 1 /16 0 /8 0 /0 0 21/Sep/2001:01 i 1 /16 0 /8 1 /0 1 21/Sep/2001:02 i 0 /16 0 /8 2 /0 2 21/Sep/2001:03 i 0 /16 0 /8 1 /0 1 21/Sep/2001:04 i 1 /16 0 /8 1 /0 3 21/Sep/2001:05 i 0 /16 0 /8 3 /0 4 21/Sep/2001:06 i 0 /16 0 /8 1 /0 1 21/Sep/2001:07 i 1 /16 0 /8 0 /0 1 21/Sep/2001:08 i 0 /16 0 /8 0 /0 0 21/Sep/2001:09 i 0 /16 0 /8 0 /0 0 21/Sep/2001:10 i 1 /16 0 /8 1 /0 2 21/Sep/2001:11 i 0 /16 0 /8 0 /0 0 21/Sep/2001:12 i 0 /16 0 /8 0 /0 0 21/Sep/2001:13 i 1 /16 0 /8 0 /0 0I don't know whether to be happy, of whether to be in fear of the storm to come...
-------------------------------------------------------------------- Tracey Losco Network Security Analyst security () nyu edu ITS - Network Services http://www.nyu.edu/its/security New York University (212) 998 - 3433 PGP Fingerprint: 8FFB FE47 6156 7BF0 B19E 462B 9DFE 51F5 At 12:46 PM -0400 9/21/01, Portnoy, Gary wrote:
I heard there were a few reports of Nimda going completely quiet in certain netblocks, but none were substantiated. I haven't seen a single Nimda IIS exploit attempt since a little before 10 AM (EST). I checked my IDS, apache logs, IIS logs -- nothing. Seems like it went silent. Still seeing CodeRed though. Can any one correlate? I am somewhere in the 12.27 netblock :) -Gary- Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Yet Another Nimda Thread (YANT) Portnoy, Gary (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Midnight Ryder (Sep 21)
- Re: Yet Another Nimda Thread (YANT) hvdkooij (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Bryan Andersen (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Tracey Losco (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Florian Weimer (Sep 21)
- <Possible follow-ups>
- RE: Yet Another Nimda Thread (YANT) Andrew Blevins (Sep 21)
- RE: Yet Another Nimda Thread (YANT) Jose Nazario (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Mike Lewinski (Sep 21)
- RE: Yet Another Nimda Thread (YANT) Robert Nieuwhof (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Bryan Andersen (Sep 23)