Re: Yet Another Nimda Thread (YANT)

From: Bryan Andersen (bryan@visi.com)
Date: 09/21/01


Message-ID: <3BAB83B1.7A46A551@visi.com>
Date: Fri, 21 Sep 2001 13:15:13 -0500
From: Bryan Andersen <bryan@visi.com>
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Subject: Re: Yet Another Nimda Thread (YANT)


"Portnoy, Gary" wrote:
>
> I heard there were a few reports of Nimda going completely quiet in certain
> netblocks, but none were substantiated. I haven't seen a single Nimda IIS
> exploit attempt since a little before 10 AM (EST). I checked my IDS, apache
> logs, IIS logs -- nothing. Seems like it went silent. Still seeing CodeRed
> though. Can any one correlate? I am somewhere in the 12.27 netblock :)

I wish I could say things have gone all quiet, but I've
seen 20 scans sofar today. 2 in the past hour. Looks
like I have three to forward to my ISP. Times are (-500)

dd/mmm/yyyy:hh CodeRed Nimda
-------------- -------------------- ---------------------
21/Sep/2001:00 /16 0 /8 0 /0 0 /16 0 /8 4 /0 4
21/Sep/2001:01 /16 0 /8 0 /0 1 /16 0 /8 4 /0 4
21/Sep/2001:02 /16 0 /8 0 /0 0 /16 0 /8 4 /0 4
21/Sep/2001:03 /16 0 /8 0 /0 0 /16 0 /8 2 /0 2
21/Sep/2001:04 /16 0 /8 0 /0 1 /16 0 /8 1 /0 1
21/Sep/2001:05 /16 0 /8 0 /0 0 /16 0 /8 0 /0 0
21/Sep/2001:06 /16 0 /8 0 /0 1 /16 0 /8 0 /0 0
21/Sep/2001:07 /16 0 /8 0 /0 0 /16 0 /8 0 /0 0
21/Sep/2001:08 /16 0 /8 0 /0 0 /16 0 /8 0 /0 0
21/Sep/2001:09 /16 0 /8 0 /0 1 /16 0 /8 0 /0 0
21/Sep/2001:10 /16 0 /8 0 /0 0 /16 1 /8 1 /0 2
21/Sep/2001:11 /16 1 /8 1 /0 1 /16 0 /8 1 /0 1
21/Sep/2001:12 /16 1 /8 1 /0 1 /16 2 /8 2 /0 2

18/Sep/2001:08 /16 0 /8 0 /0 0 /16 8 /8 15 /0 15
18/Sep/2001:09 /16 0 /8 0 /0 0 /16 12 /8 17 /0 18
18/Sep/2001:10 /16 0 /8 1 /0 1 /16 16 /8 18 /0 18
18/Sep/2001:11 /16 0 /8 0 /0 0 /16 17 /8 25 /0 25
18/Sep/2001:12 /16 0 /8 0 /0 2 /16 15 /8 27 /0 27
18/Sep/2001:13 /16 0 /8 0 /0 0 /16 11 /8 20 /0 20
18/Sep/2001:14 /16 0 /8 2 /0 2 /16 6 /8 13 /0 13
18/Sep/2001:15 /16 0 /8 2 /0 2 /16 3 /8 11 /0 11
18/Sep/2001:16 /16 0 /8 0 /0 0 /16 3 /8 11 /0 11
18/Sep/2001:17 /16 0 /8 2 /0 2 /16 8 /8 18 /0 18
18/Sep/2001:18 /16 0 /8 3 /0 3 /16 9 /8 20 /0 21
18/Sep/2001:19 /16 0 /8 0 /0 0 /16 6 /8 23 /0 23
18/Sep/2001:20 /16 0 /8 0 /0 1 /16 3 /8 15 /0 15
18/Sep/2001:21 /16 0 /8 0 /0 0 /16 8 /8 20 /0 21
18/Sep/2001:22 /16 0 /8 0 /0 1 /16 9 /8 20 /0 21
18/Sep/2001:23 /16 0 /8 1 /0 1 /16 8 /8 19 /0 19
19/Sep/2001:00 /16 0 /8 0 /0 1 /16 8 /8 11 /0 11
19/Sep/2001:01 /16 0 /8 1 /0 1 /16 14 /8 26 /0 26
19/Sep/2001:02 /16 0 /8 0 /0 0 /16 14 /8 28 /0 30
19/Sep/2001:03 /16 0 /8 1 /0 1 /16 3 /8 12 /0 12
19/Sep/2001:04 /16 0 /8 1 /0 1 /16 10 /8 14 /0 14
19/Sep/2001:05 /16 0 /8 0 /0 0 /16 10 /8 15 /0 15
19/Sep/2001:06 /16 0 /8 1 /0 1 /16 11 /8 16 /0 16
19/Sep/2001:07 /16 0 /8 0 /0 1 /16 9 /8 14 /0 14
19/Sep/2001:08 /16 0 /8 0 /0 0 /16 10 /8 16 /0 17
19/Sep/2001:09 /16 0 /8 0 /0 0 /16 4 /8 6 /0 7
19/Sep/2001:10 /16 0 /8 0 /0 0 /16 1 /8 2 /0 2
19/Sep/2001:11 /16 0 /8 1 /0 1 /16 3 /8 5 /0 6
19/Sep/2001:12 /16 0 /8 0 /0 0 /16 2 /8 4 /0 4
19/Sep/2001:13 /16 0 /8 0 /0 0 /16 7 /8 10 /0 10
19/Sep/2001:14 /16 0 /8 0 /0 0 /16 2 /8 13 /0 13
19/Sep/2001:15 /16 0 /8 0 /0 0 /16 2 /8 12 /0 12
19/Sep/2001:16 /16 0 /8 1 /0 1 /16 5 /8 9 /0 9
19/Sep/2001:17 /16 0 /8 0 /0 1 /16 7 /8 12 /0 12
19/Sep/2001:18 /16 0 /8 0 /0 1 /16 3 /8 7 /0 7
19/Sep/2001:19 /16 0 /8 0 /0 0 /16 3 /8 5 /0 6
19/Sep/2001:20 /16 0 /8 0 /0 0 /16 5 /8 7 /0 7
19/Sep/2001:21 /16 0 /8 0 /0 0 /16 1 /8 8 /0 8
19/Sep/2001:22 /16 0 /8 0 /0 0 /16 1 /8 9 /0 10
19/Sep/2001:23 /16 0 /8 0 /0 0 /16 1 /8 8 /0 8
20/Sep/2001:00 /16 0 /8 1 /0 2 /16 2 /8 4 /0 4
20/Sep/2001:01 /16 0 /8 0 /0 0 /16 6 /8 9 /0 9
20/Sep/2001:02 /16 0 /8 0 /0 0 /16 2 /8 2 /0 2
20/Sep/2001:03 /16 0 /8 0 /0 0 /16 0 /8 6 /0 6
20/Sep/2001:04 /16 0 /8 0 /0 1 /16 2 /8 3 /0 3
20/Sep/2001:05 /16 0 /8 0 /0 0 /16 1 /8 2 /0 2
20/Sep/2001:06 /16 0 /8 0 /0 1 /16 1 /8 2 /0 2
20/Sep/2001:07 /16 0 /8 0 /0 0 /16 0 /8 1 /0 1
20/Sep/2001:08 /16 0 /8 0 /0 1 /16 1 /8 3 /0 4
20/Sep/2001:09 /16 0 /8 1 /0 1 /16 0 /8 4 /0 4
20/Sep/2001:10 /16 0 /8 0 /0 0 /16 0 /8 1 /0 1
20/Sep/2001:11 /16 0 /8 0 /0 0 /16 0 /8 2 /0 2
20/Sep/2001:12 /16 0 /8 0 /0 0 /16 0 /8 3 /0 3
20/Sep/2001:13 /16 0 /8 0 /0 0 /16 0 /8 2 /0 2
20/Sep/2001:14 /16 0 /8 0 /0 0 /16 0 /8 2 /0 2
20/Sep/2001:15 /16 0 /8 2 /0 2 /16 0 /8 4 /0 4
20/Sep/2001:16 /16 0 /8 0 /0 0 /16 0 /8 2 /0 4
20/Sep/2001:17 /16 0 /8 0 /0 0 /16 0 /8 3 /0 3
20/Sep/2001:18 /16 0 /8 2 /0 2 /16 0 /8 2 /0 2
20/Sep/2001:19 /16 0 /8 1 /0 1 /16 0 /8 2 /0 3
20/Sep/2001:20 /16 0 /8 0 /0 0 /16 0 /8 1 /0 1
20/Sep/2001:21 /16 0 /8 0 /0 0 /16 0 /8 1 /0 1
20/Sep/2001:22 /16 0 /8 0 /0 0 /16 0 /8 7 /0 7
20/Sep/2001:23 /16 0 /8 1 /0 1 /16 0 /8 2 /0 2

-- 
|  Bryan Andersen   |   bryan@visi.com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com