Re: Has anyone seen this pattern?

From: Jay D. Dyson (jdyson@treachery.net)
Date: 10/19/01


Date: Fri, 19 Oct 2001 08:46:25 -0700 (PDT)
From: "Jay D. Dyson" <jdyson@treachery.net>
To: "VanMeter, John" <John.VanMeter@ost.dot.gov>
Subject: Re: Has anyone seen this pattern?
Message-ID: <Pine.GSO.3.96.1011019084337.11356B-100000@crypto>


-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 19 Oct 2001, VanMeter, John wrote:

> Interesting Pattern... if you look at the below information you can see two
> things.
> 1. All IP address start in the 199.x.x.x
> 2. the attacks use the same 13 attempted HTTP Attacks and 14
> Suspicious URL
> The only different one was 199.111.x.x which used 26 HTTP Attacks and 26
> Suspicious URL.

        What are the URIs requested? Based on the request count alone,
I'd suspect it's a bunch of Nimda-infected hosts on the same network. I
see plenty of them from the Class A I'm on, and even more from the Class B
I'm on.

- -Jay

  ( ( _______
  )) )) .-"There's always time for a good cup of coffee."-. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson@treachery.net ------<) | = |-'
 `--' `--' `- Peace without justice is life without living. -' `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO9A8xblDRyqRQ2a9AQGFjQP7BiZqvWlvV+/izf79Ct1Z4twRpv3NUFlv
rg6JizRH/N0zj25j1wNVfMzZrLm+nMmYWi4PQp47WqHdfN6qGJ3as6R41xK+6XDr
uhU9BcdBGCgzASgPhRfVG4SivshEHWCqUulfttKYG5ZbiHM/5qhmynYH3ggNtjZg
oEHjTB0N7ts=
=tUul
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com