Are you asking whether anyone has seen a lack of the scans in their own netblock (ie: 128.122), or in everything inclusive of that netblock (ie: 128)? I found a really cool script from this guy Bryan Andersen on one of the newsgroups, that tests for how many pokes you've seen from the Nimda worm, and as of 2:00pm yesterday, I haven't seen any from inside our own. See below: Column i represents .ida requests on our network, column /16 is our network representing a Nimda file request and you know the rest from there. 20/Sep/2001:14 i 1 /16 0 /8 2 /0 2 20/Sep/2001:15 i 0 /16 0 /8 1 /0 1 20/Sep/2001:16 i 0 /16 0 /8 0 /0 0 20/Sep/2001:17 i 1 /16 0 /8 0 /0 0 20/Sep/2001:18 i 1 /16 0 /8 1 /0 1 20/Sep/2001:19 i 0 /16 0 /8 0 /0 0 20/Sep/2001:20 i 0 /16 0 /8 0 /0 1 20/Sep/2001:21 i 0 /16 0 /8 0 /0 2 20/Sep/2001:22 i 0 /16 0 /8 0 /0 0 20/Sep/2001:23 i 1 /16 0 /8 0 /0 2 21/Sep/2001:00 i 1 /16 0 /8 0 /0 0 21/Sep/2001:01 i 1 /16 0 /8 1 /0 1 21/Sep/2001:02 i 0 /16 0 /8 2 /0 2 21/Sep/2001:03 i 0 /16 0 /8 1 /0 1 21/Sep/2001:04 i 1 /16 0 /8 1 /0 3 21/Sep/2001:05 i 0 /16 0 /8 3 /0 4 21/Sep/2001:06 i 0 /16 0 /8 1 /0 1 21/Sep/2001:07 i 1 /16 0 /8 0 /0 1 21/Sep/2001:08 i 0 /16 0 /8 0 /0 0 21/Sep/2001:09 i 0 /16 0 /8 0 /0 0 21/Sep/2001:10 i 1 /16 0 /8 1 /0 2 21/Sep/2001:11 i 0 /16 0 /8 0 /0 0 21/Sep/2001:12 i 0 /16 0 /8 0 /0 0 21/Sep/2001:13 i 1 /16 0 /8 0 /0 0 I don't know whether to be happy, of whether to be in fear of the storm to come... -------------------------------------------------------------------- Tracey Losco Network Security Analyst securityat_private ITS - Network Services http://www.nyu.edu/its/security New York University (212) 998 - 3433 PGP Fingerprint: 8FFB FE47 6156 7BF0 B19E 462B 9DFE 51F5 At 12:46 PM -0400 9/21/01, Portnoy, Gary wrote: >I heard there were a few reports of Nimda going completely quiet in certain >netblocks, but none were substantiated. I haven't seen a single Nimda IIS >exploit attempt since a little before 10 AM (EST). I checked my IDS, apache >logs, IIS logs -- nothing. Seems like it went silent. Still seeing CodeRed >though. Can any one correlate? I am somewhere in the 12.27 netblock :) > >-Gary- > >Gary Portnoy >Network Administrator >gportnoyat_private > >PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 11:44:36 PDT