It has been my understanding that the Nimda probes to web servers were always from nearby IP address blocks. I was reviewing the history of the scans on my apache server and noticed something strange with the addresses. My address is in 216.x.x.x. I received probes from 468 unique IP's. The probes to my web server started at 18/Sep/2001:09:24:22 EST, and they continue until this hour, and have yet to cease. Breakdown: 205.x.x.x - 1 Host 206.x.x.x - 1 Host 207.x.x.x - 2 Hosts 208.x.x.x - 1 Host 209.x.x.x - 3 Hosts 216.x.x.x - 457 Hosts 63.x.x.x - 1 Host 64.x.x.x - 1 Host 65.x.x.x - 1 Host Why the probes from the 63, 64, 65 blocks? Their signature definitely appears to be Nimda. Can someone explain? Thanks, Steve Cody ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 11:38:54 PDT