Nimda.E having an impact ??

From: Russell Fulton (r.fulton@auckland.ac.nz)
Date: 10/31/01


From: Russell Fulton <r.fulton@auckland.ac.nz>
To: incidents@securityfocus.com
Subject: Nimda.E having an impact  ??
Message-ID: <SIMEON.10111011013.I26305@bluebottle.itss>
Date: Thu, 1 Nov 2001 10:29:13 +1300 (NZDT)

Does Nimda.E have a different scanning strategy than previous versions?

Although the number of machines that I see probing us on port 80
remains fairly stable I notice that the actual volume of probes has
is up significantly over the last 24 hours. We are also seeing many
more machines in our own class A.

Some stats: (these are of machines that probed port 80 on an address
where nothing was listening over a 1 hour period (0800-0900 UTC +1200)
                              31 Oct 1 Nov
total number 1960 1947
number in 130.0.0.0/8 7 37 (1)
number with more than 100 8 9
number with more than 10 21 55

number of unicode attacks 12 19 (2)

notes:
1/ we are 130.216.0.0/16
2/ number of host on our network attacked as seen by snort on our DMZ

Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: so a solidworks thread is un-machinst content?
    ... no different than my calculator. ... all realted to running cnc machines. ... probing software. ...
    (alt.machines.cnc)
  • so a solidworks thread is un-machinst content?
    ... no different than my calculator. ... all realted to running cnc machines. ... probing software. ...
    (alt.machines.cnc)
  • Re: An enterprise full of hackers
    ... What is the best method of securing administrative machines to ... the machines themselves and still allow rdp from administrators over the ... Other than physically restricting access, why are you letting your users go probing around the network? ... In mine, if anyone goes using Attacker or some other forensic tool to go probing around, they'll get sniffed out and probably fired. ...
    (microsoft.public.windowsxp.security_admin)
  • Problem with firewire disks with recent -CURRENT.
    ... Tried upgrading one of my machines to -CURRENT yesterday and got the ... following panic when the sbp code did its probing of all the firewire ...
    (freebsd-current)