Re: Nimda Infections and code red resurgence
From: Dug Song (dugsong@monkey.org)Date: 05/08/02
- Previous message: Dug Song: "Publishing Nimda Logs == BAD IDEA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 8 May 2002 17:33:17 -0400 From: Dug Song <dugsong@monkey.org> To: incidents@securityfocus.com
On Wed, Nov 14, 2001 at 11:17:20AM +1300, Russell Fulton wrote:
> Code Red never went a way, it just sleeps on the 19th (or 20th ?)of the
> month and reawakes on the 1st. Since it is cleared by rebooting then
> many infections die off over the ten days.
a graph of unique infected hosts per day since December 2000, as seen
on our blackhole monitor (watching an unused /8):
http://www.monkey.org/~dugsong/worms.jpg
> What puzzels me however is that we see to the odd machine in some
> unrelated /8 probing at very high rates (well over 100 per hour).
> On at least one ocassion I verified (from the IDS) that the machine
> was attempting Nimda style attacks on any web server it found.
we have seen these too - check the User-Agent: header, and you may
find that some of them are from a free third-party win32 HTTP library
(CSHttpClient). widespread scanning for the IIS Unicode directory
traversal bug has been going on since late last year - perhaps
attackers are trying to hide their scans in all the noise...
-d.
--- http://www.monkey.org/~dugsong/---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Dug Song: "Publishing Nimda Logs == BAD IDEA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
