Breakdown by hour sofar by hour (TZ=-500) /16, /8, /0 are probes for: "GET /MSADC/root.exe?/c+dir HTTP/1.0" which is one of the probes the nimda worm is using. net dd/mmm/yyyy:hh ida /16 /8 /0 -------------- --- --- --- --- 18/Sep/2001:08 0 8 15 15 18/Sep/2001:09 0 12 17 18 18/Sep/2001:10 1 16 18 18 18/Sep/2001:11 0 17 25 25 18/Sep/2001:12 2 15 27 27 18/Sep/2001:13 0 11 20 20 18/Sep/2001:14 2 6 13 13 18/Sep/2001:15 2 3 11 11 18/Sep/2001:16 0 3 11 11 18/Sep/2001:17 2 8 18 18 18/Sep/2001:18 3 9 20 21 18/Sep/2001:19 0 6 23 23 18/Sep/2001:20 1 3 15 15 18/Sep/2001:21 0 8 20 21 18/Sep/2001:22 1 9 20 21 18/Sep/2001:23 1 8 19 19 19/Sep/2001:00 1 8 11 11 19/Sep/2001:01 1 14 26 26 19/Sep/2001:02 0 14 28 30 19/Sep/2001:03 1 3 12 12 19/Sep/2001:04 1 10 14 14 19/Sep/2001:05 0 10 15 15 19/Sep/2001:06 1 11 16 16 19/Sep/2001:07 1 9 14 14 19/Sep/2001:08 0 10 16 17 19/Sep/2001:09 0 4 6 7 19/Sep/2001:10 0 1 2 2 19/Sep/2001:11 1 3 5 6 19/Sep/2001:12 0 2 4 4 19/Sep/2001:13 0 7 10 10 I wrote a quick and dirty shell script to get counts by hour. I've placed a copy at: http://www.nerdvest.com/security/get-times.bash I originally wrote the script to search for .ida counts by day and have extended it for .exe counts by hour. It expects standard Apache log file format and uses simple greps and word counts to do it's work. It was developed on an OpenBSD system with the bash shell added. The output format is different than above. There are a few lines that would need customization for your site. -- | Bryan Andersen | bryanat_private | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 14:50:39 PDT