Re: Yet Another Nimda Thread (YANT)

From: Bryan Andersen (bryan@visi.com)
Date: 09/21/01


Message-ID: <3BAB83B1.7A46A551@visi.com>
Date: Fri, 21 Sep 2001 13:15:13 -0500
From: Bryan Andersen <bryan@visi.com>
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Subject: Re: Yet Another Nimda Thread (YANT)


"Portnoy, Gary" wrote:
>
> I heard there were a few reports of Nimda going completely quiet in certain
> netblocks, but none were substantiated. I haven't seen a single Nimda IIS
> exploit attempt since a little before 10 AM (EST). I checked my IDS, apache
> logs, IIS logs -- nothing. Seems like it went silent. Still seeing CodeRed
> though. Can any one correlate? I am somewhere in the 12.27 netblock :)

I wish I could say things have gone all quiet, but I've
seen 20 scans sofar today. 2 in the past hour. Looks
like I have three to forward to my ISP. Times are (-500)

dd/mmm/yyyy:hh CodeRed Nimda
-------------- -------------------- ---------------------
21/Sep/2001:00 /16 0 /8 0 /0 0 /16 0 /8 4 /0 4
21/Sep/2001:01 /16 0 /8 0 /0 1 /16 0 /8 4 /0 4
21/Sep/2001:02 /16 0 /8 0 /0 0 /16 0 /8 4 /0 4
21/Sep/2001:03 /16 0 /8 0 /0 0 /16 0 /8 2 /0 2
21/Sep/2001:04 /16 0 /8 0 /0 1 /16 0 /8 1 /0 1
21/Sep/2001:05 /16 0 /8 0 /0 0 /16 0 /8 0 /0 0
21/Sep/2001:06 /16 0 /8 0 /0 1 /16 0 /8 0 /0 0
21/Sep/2001:07 /16 0 /8 0 /0 0 /16 0 /8 0 /0 0
21/Sep/2001:08 /16 0 /8 0 /0 0 /16 0 /8 0 /0 0
21/Sep/2001:09 /16 0 /8 0 /0 1 /16 0 /8 0 /0 0
21/Sep/2001:10 /16 0 /8 0 /0 0 /16 1 /8 1 /0 2
21/Sep/2001:11 /16 1 /8 1 /0 1 /16 0 /8 1 /0 1
21/Sep/2001:12 /16 1 /8 1 /0 1 /16 2 /8 2 /0 2

18/Sep/2001:08 /16 0 /8 0 /0 0 /16 8 /8 15 /0 15
18/Sep/2001:09 /16 0 /8 0 /0 0 /16 12 /8 17 /0 18
18/Sep/2001:10 /16 0 /8 1 /0 1 /16 16 /8 18 /0 18
18/Sep/2001:11 /16 0 /8 0 /0 0 /16 17 /8 25 /0 25
18/Sep/2001:12 /16 0 /8 0 /0 2 /16 15 /8 27 /0 27
18/Sep/2001:13 /16 0 /8 0 /0 0 /16 11 /8 20 /0 20
18/Sep/2001:14 /16 0 /8 2 /0 2 /16 6 /8 13 /0 13
18/Sep/2001:15 /16 0 /8 2 /0 2 /16 3 /8 11 /0 11
18/Sep/2001:16 /16 0 /8 0 /0 0 /16 3 /8 11 /0 11
18/Sep/2001:17 /16 0 /8 2 /0 2 /16 8 /8 18 /0 18
18/Sep/2001:18 /16 0 /8 3 /0 3 /16 9 /8 20 /0 21
18/Sep/2001:19 /16 0 /8 0 /0 0 /16 6 /8 23 /0 23
18/Sep/2001:20 /16 0 /8 0 /0 1 /16 3 /8 15 /0 15
18/Sep/2001:21 /16 0 /8 0 /0 0 /16 8 /8 20 /0 21
18/Sep/2001:22 /16 0 /8 0 /0 1 /16 9 /8 20 /0 21
18/Sep/2001:23 /16 0 /8 1 /0 1 /16 8 /8 19 /0 19
19/Sep/2001:00 /16 0 /8 0 /0 1 /16 8 /8 11 /0 11
19/Sep/2001:01 /16 0 /8 1 /0 1 /16 14 /8 26 /0 26
19/Sep/2001:02 /16 0 /8 0 /0 0 /16 14 /8 28 /0 30
19/Sep/2001:03 /16 0 /8 1 /0 1 /16 3 /8 12 /0 12
19/Sep/2001:04 /16 0 /8 1 /0 1 /16 10 /8 14 /0 14
19/Sep/2001:05 /16 0 /8 0 /0 0 /16 10 /8 15 /0 15
19/Sep/2001:06 /16 0 /8 1 /0 1 /16 11 /8 16 /0 16
19/Sep/2001:07 /16 0 /8 0 /0 1 /16 9 /8 14 /0 14
19/Sep/2001:08 /16 0 /8 0 /0 0 /16 10 /8 16 /0 17
19/Sep/2001:09 /16 0 /8 0 /0 0 /16 4 /8 6 /0 7
19/Sep/2001:10 /16 0 /8 0 /0 0 /16 1 /8 2 /0 2
19/Sep/2001:11 /16 0 /8 1 /0 1 /16 3 /8 5 /0 6
19/Sep/2001:12 /16 0 /8 0 /0 0 /16 2 /8 4 /0 4
19/Sep/2001:13 /16 0 /8 0 /0 0 /16 7 /8 10 /0 10
19/Sep/2001:14 /16 0 /8 0 /0 0 /16 2 /8 13 /0 13
19/Sep/2001:15 /16 0 /8 0 /0 0 /16 2 /8 12 /0 12
19/Sep/2001:16 /16 0 /8 1 /0 1 /16 5 /8 9 /0 9
19/Sep/2001:17 /16 0 /8 0 /0 1 /16 7 /8 12 /0 12
19/Sep/2001:18 /16 0 /8 0 /0 1 /16 3 /8 7 /0 7
19/Sep/2001:19 /16 0 /8 0 /0 0 /16 3 /8 5 /0 6
19/Sep/2001:20 /16 0 /8 0 /0 0 /16 5 /8 7 /0 7
19/Sep/2001:21 /16 0 /8 0 /0 0 /16 1 /8 8 /0 8
19/Sep/2001:22 /16 0 /8 0 /0 0 /16 1 /8 9 /0 10
19/Sep/2001:23 /16 0 /8 0 /0 0 /16 1 /8 8 /0 8
20/Sep/2001:00 /16 0 /8 1 /0 2 /16 2 /8 4 /0 4
20/Sep/2001:01 /16 0 /8 0 /0 0 /16 6 /8 9 /0 9
20/Sep/2001:02 /16 0 /8 0 /0 0 /16 2 /8 2 /0 2
20/Sep/2001:03 /16 0 /8 0 /0 0 /16 0 /8 6 /0 6
20/Sep/2001:04 /16 0 /8 0 /0 1 /16 2 /8 3 /0 3
20/Sep/2001:05 /16 0 /8 0 /0 0 /16 1 /8 2 /0 2
20/Sep/2001:06 /16 0 /8 0 /0 1 /16 1 /8 2 /0 2
20/Sep/2001:07 /16 0 /8 0 /0 0 /16 0 /8 1 /0 1
20/Sep/2001:08 /16 0 /8 0 /0 1 /16 1 /8 3 /0 4
20/Sep/2001:09 /16 0 /8 1 /0 1 /16 0 /8 4 /0 4
20/Sep/2001:10 /16 0 /8 0 /0 0 /16 0 /8 1 /0 1
20/Sep/2001:11 /16 0 /8 0 /0 0 /16 0 /8 2 /0 2
20/Sep/2001:12 /16 0 /8 0 /0 0 /16 0 /8 3 /0 3
20/Sep/2001:13 /16 0 /8 0 /0 0 /16 0 /8 2 /0 2
20/Sep/2001:14 /16 0 /8 0 /0 0 /16 0 /8 2 /0 2
20/Sep/2001:15 /16 0 /8 2 /0 2 /16 0 /8 4 /0 4
20/Sep/2001:16 /16 0 /8 0 /0 0 /16 0 /8 2 /0 4
20/Sep/2001:17 /16 0 /8 0 /0 0 /16 0 /8 3 /0 3
20/Sep/2001:18 /16 0 /8 2 /0 2 /16 0 /8 2 /0 2
20/Sep/2001:19 /16 0 /8 1 /0 1 /16 0 /8 2 /0 3
20/Sep/2001:20 /16 0 /8 0 /0 0 /16 0 /8 1 /0 1
20/Sep/2001:21 /16 0 /8 0 /0 0 /16 0 /8 1 /0 1
20/Sep/2001:22 /16 0 /8 0 /0 0 /16 0 /8 7 /0 7
20/Sep/2001:23 /16 0 /8 1 /0 1 /16 0 /8 2 /0 2

-- 
|  Bryan Andersen   |   bryan@visi.com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Yet Another Nimda Thread (YANT)
    ... Yet Another Nimda Thread (YANT) ... > netblocks, but none were substantiated. ... I haven't seen a single Nimda IIS ... > logs, IIS logs -- nothing. ...
    (Incidents)
  • Yet Another Nimda Thread (YANT)
    ... I heard there were a few reports of Nimda going completely quiet in certain ... netblocks, but none were substantiated. ... I haven't seen a single Nimda IIS ... logs, IIS logs -- nothing. ...
    (Incidents)
  • Re: Yet Another Nimda Thread (YANT)
    ... Yet Another Nimda Thread (YANT) ... > I heard there were a few reports of Nimda going completely quiet in ... > certain netblocks, but none were substantiated. ... connections that never complete. ...
    (Incidents)
  • Re: Is this a system compromise
    ... and Nimda or something similar ... It's hard to tell from this log whether this attack was successful or not, ... it looks successful to the worm, ... Note also that IIS logs are unreliable. ...
    (microsoft.public.win2000.security)
  • Re: Yet Another Nimda Thread (YANT)
    ... Yet Another Nimda Thread (YANT) ... > I heard there were a few reports of Nimda going completely quiet in certain ... I haven't seen a single Nimda IIS ... > logs, IIS logs -- nothing. ...
    (Incidents)