On Tue, Sep 18, 2001 at 05:43:40PM -0400, Jose Nazario wrote: > On Tue, 18 Sep 2001, Olle Segerdahl wrote: > > Quick analysis indicates that it propagates itself in a number of > > different ways: > any info on how it determines the networks to spread to/ scan? the email > and IIS vulnerability scans are what i'm talking about. is it assuming > class B addresses? > i ask because our netmasks around here are in the neighborhood of /22, > though our severs are seeing scans from the whole /16. Seems to be weighted probablistic on octet boundries. Probes to a /16 are more probable than probes to /8 which are more probably than to probes to /0. Some reports indicate higher probability to /24 but I can't personally confirm that (since I control all /24 range space that any of my servers reside in). Just because it's more likely to probe within the /16 space it resides in, it doesn't mean that it won't probe outside of it. Quite the contrary, actually. > i haven't been tracking the email propogation. > thanks. > ____________________________ > jose nazario joseat_private > PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 > PGP key ID 0xFD37F4E5 (pgp.mit.edu) Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 19:31:52 PDT