Re: Has anyone seen this pattern?

From: Jay D. Dyson (jdyson@treachery.net)
Date: 10/19/01

• Previous message: Kelley, John: "RE: Trojan program"
• In reply to: VanMeter, John: "Has anyone seen this pattern?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 19 Oct 2001 08:46:25 -0700 (PDT)
From: "Jay D. Dyson" <jdyson@treachery.net>
To: "VanMeter, John" <John.VanMeter@ost.dot.gov>
Subject: Re: Has anyone seen this pattern?
Message-ID: <Pine.GSO.3.96.1011019084337.11356B-100000@crypto>

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 19 Oct 2001, VanMeter, John wrote:

> Interesting Pattern... if you look at the below information you can see two
> things.
> 1. All IP address start in the 199.x.x.x
> 2. the attacks use the same 13 attempted HTTP Attacks and 14
> Suspicious URL
> The only different one was 199.111.x.x which used 26 HTTP Attacks and 26
> Suspicious URL.

        What are the URIs requested? Based on the request count alone,
I'd suspect it's a bunch of Nimda-infected hosts on the same network. I
see plenty of them from the Class A I'm on, and even more from the Class B
I'm on.

- -Jay

  ( ( _______
  )) )) .-"There's always time for a good cup of coffee."-. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson@treachery.net ------<) | = |-'
 `--' `--' `- Peace without justice is life without living. -' `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO9A8xblDRyqRQ2a9AQGFjQP7BiZqvWlvV+/izf79Ct1Z4twRpv3NUFlv
rg6JizRH/N0zj25j1wNVfMzZrLm+nMmYWi4PQp47WqHdfN6qGJ3as6R41xK+6XDr
uhU9BcdBGCgzASgPhRfVG4SivshEHWCqUulfttKYG5ZbiHM/5qhmynYH3ggNtjZg
oEHjTB0N7ts=
=tUul
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Kelley, John: "RE: Trojan program"
• In reply to: VanMeter, John: "Has anyone seen this pattern?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Has anyone seen this pattern? ... Has anyone seen this pattern? ... On Fri, 19 Oct 2001, VanMeter, John wrote: ... > Suspicious URL ... (Security-Basics) Re: pieces of the puzzle ... Bjoern Feuerbacher wrote: ... > John Sefton wrote: ... yes, this pattern is pretty. ... Dirac's last conclusions on the photon were that ... (sci.physics) Re: pieces of the puzzle ... Bjoern Feuerbacher wrote: ... > John Sefton wrote: ... yes, this pattern is pretty. ... Dirac's last conclusions on the photon were that ... (sci.physics) Re: Kind of Blue ... John writes ... I am happy with this quilt, but mostly that it is finished. ... > of the hexagon pattern, and that is something I did not want to do. ... > sit here listening to the album of very good Jazz, by the same name, ... (rec.crafts.textiles.quilting) Re: Immortality vs. copies ... You are just talking about the loss of normal brain ... By nature of how we identify things (by using pattern detectors in our ... I will say "that's John" when my ... word "John" is a label for the output of our pattern detector, ... (comp.ai.philosophy)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2001-10