Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tracking down the still infected hosts

From: Skip Carter <skip () taygeta com>
Date: Tue, 25 Sep 2001 12:54:11 -0700


According to Ryan Russell (who's been analyzing the
worm code), Nimda doesn't honor redirects - it just
checks the response it gets from a Web server to 
determine whether or not the server is vulnerable.
It doesn't follow redirects.  So what does this 
actually accomplish?

Isn't it possible that the Nimda traffic is going down
because of the decaying growth curve of propagation?
Or am I just missing something?


  On my network, it certainly is the case that Nimda traffic
  is dropping off, here is what I have seen in the last week:

    date     incidents
   09/18       2996
   09/19       2014
   09/20       1136
   09/21        165
   09/22        382
   09/23        371
   09/24        147



 

-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    UUCP:     ...!uunet!taygeta!skip
 Monterey, CA. 93940            WWW: http://www.taygeta.com/skip.html












----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: