Re: CRv2 multiple scans from same source IP

From: corecode (corecodeat_private)
Date: Mon Aug 06 2001 - 14:39:36 PDT

Next message: Walling, Ken: "RE: Method to Clean up IIS servers hit by CRv2"

Previous message: Marc Maiffret: "RE: Was RE: disinfection tool -- now a minor rant."
In reply to: Andy Berkheimer: "Re: CRv2 multiple scans from same source IP"
Next in thread: Bryan Andersen: "Re: CRv2 multiple scans from same source IP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 08:51 PM 8/6/2001, Andy Berkheimer wrote:

> >On Mon, 6 Aug 2001, corecode wrote:
> >
> >> it could generate the same ip address again in it's PRNG but the chance
> >> this happening is near 0.
> >
> >You're saying that the chance it will try a duplicate IP again later is 0?
> >Not quite 0...
> >
> >My logs also bear out that dupes are common.

ok. thank you for all the emails :)

generating the same ip address is of course probable - more probable than 
with code red.
but i was talking about infection attempts following right after each 
other. this should still be most unlikely.
i don't know how one can explain these mass dupes, perhaps a proxy trying 
to establish a connection, or a NAT'ed network behind?

cheerz
   corecode

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Walling, Ken: "RE: Method to Clean up IIS servers hit by CRv2"
Previous message: Marc Maiffret: "RE: Was RE: disinfection tool -- now a minor rant."
In reply to: Andy Berkheimer: "Re: CRv2 multiple scans from same source IP"
Next in thread: Bryan Andersen: "Re: CRv2 multiple scans from same source IP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 09:18:43 PDT