hi On Tue, Sep 18, 2001 at 09:43:09AM -0500, Cory McIntire wrote: > I and a few others I know are getting bombard on our machines with IIS > requests....looks like another worm, and its much smarter than before, it > seems to stay within the same class A and sometimes the same class B as the > attacking machine is in. here is an excerpt of what i believe is the full > scan.... I do get the same stuff. However, there seems to be some more to it. Before all the http-requests, I received several packets to port 137 as shown below Sep 18 17:29:57 Trip kernel: Packet log: ipppIN DENY ppp0 PROTO=17 xxx.xxx.xxx.xxx:137 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=32703 F=0x0000 T=123 (#4) I agree about them being from the same class B network most of the time, but I had some requests from a different class A network, too. Only address so far, though. regards, Oliver Ehli ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:37:33 PDT