Breakdown by hour sofar by hour (TZ=-500)
/16, /8, /0 are probes for:
"GET /MSADC/root.exe?/c+dir HTTP/1.0"
which is one of the probes the nimda worm is using.
net
dd/mmm/yyyy:hh ida /16 /8 /0
-------------- --- --- --- ---
18/Sep/2001:08 0 8 15 15
18/Sep/2001:09 0 12 17 18
18/Sep/2001:10 1 16 18 18
18/Sep/2001:11 0 17 25 25
18/Sep/2001:12 2 15 27 27
18/Sep/2001:13 0 11 20 20
18/Sep/2001:14 2 6 13 13
18/Sep/2001:15 2 3 11 11
18/Sep/2001:16 0 3 11 11
18/Sep/2001:17 2 8 18 18
18/Sep/2001:18 3 9 20 21
18/Sep/2001:19 0 6 23 23
18/Sep/2001:20 1 3 15 15
18/Sep/2001:21 0 8 20 21
18/Sep/2001:22 1 9 20 21
18/Sep/2001:23 1 8 19 19
19/Sep/2001:00 1 8 11 11
19/Sep/2001:01 1 14 26 26
19/Sep/2001:02 0 14 28 30
19/Sep/2001:03 1 3 12 12
19/Sep/2001:04 1 10 14 14
19/Sep/2001:05 0 10 15 15
19/Sep/2001:06 1 11 16 16
19/Sep/2001:07 1 9 14 14
19/Sep/2001:08 0 10 16 17
19/Sep/2001:09 0 4 6 7
19/Sep/2001:10 0 1 2 2
19/Sep/2001:11 1 3 5 6
19/Sep/2001:12 0 2 4 4
19/Sep/2001:13 0 7 10 10
I wrote a quick and dirty shell script to get counts by hour.
I've placed a copy at:
http://www.nerdvest.com/security/get-times.bash
I originally wrote the script to search for .ida counts by day
and have extended it for .exe counts by hour. It expects standard
Apache log file format and uses simple greps and word counts to do
it's work. It was developed on an OpenBSD system with the bash
shell added. The output format is different than above. There
are a few lines that would need customization for your site.
--
| Bryan Andersen | bryanat_private | http://www.nerdvest.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 14:50:39 PDT