Re: Yet Another Nimda Thread (YANT)

From: Tracey Losco (tal1at_private)
Date: Fri Sep 21 2001 - 10:43:56 PDT

Next message: Mike Lewinski: "Re: Yet Another Nimda Thread (YANT)"

Previous message: Steve Cody: "Nimda probes from way off IP addresses"
In reply to: Portnoy, Gary: "Yet Another Nimda Thread (YANT)"
Next in thread: Mike Lewinski: "Re: Yet Another Nimda Thread (YANT)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Are you asking whether anyone has seen a lack of the scans in their 
own netblock (ie: 128.122), or in everything inclusive of that 
netblock (ie: 128)?

I found a really cool script from this guy Bryan Andersen on one of 
the newsgroups, that tests for how many pokes you've seen from the 
Nimda worm, and as of 2:00pm yesterday, I haven't seen any from 
inside our own.  See below:

Column i represents .ida requests on our network, column /16 is our 
network representing a Nimda file request and you know the rest from 
there.

20/Sep/2001:14  i 1     /16 0   /8 2    /0 2
20/Sep/2001:15  i 0     /16 0   /8 1    /0 1
20/Sep/2001:16  i 0     /16 0   /8 0    /0 0
20/Sep/2001:17  i 1     /16 0   /8 0    /0 0
20/Sep/2001:18  i 1     /16 0   /8 1    /0 1
20/Sep/2001:19  i 0     /16 0   /8 0    /0 0
20/Sep/2001:20  i 0     /16 0   /8 0    /0 1
20/Sep/2001:21  i 0     /16 0   /8 0    /0 2
20/Sep/2001:22  i 0     /16 0   /8 0    /0 0
20/Sep/2001:23  i 1     /16 0   /8 0    /0 2
21/Sep/2001:00  i 1     /16 0   /8 0    /0 0
21/Sep/2001:01  i 1     /16 0   /8 1    /0 1
21/Sep/2001:02  i 0     /16 0   /8 2    /0 2
21/Sep/2001:03  i 0     /16 0   /8 1    /0 1
21/Sep/2001:04  i 1     /16 0   /8 1    /0 3
21/Sep/2001:05  i 0     /16 0   /8 3    /0 4
21/Sep/2001:06  i 0     /16 0   /8 1    /0 1
21/Sep/2001:07  i 1     /16 0   /8 0    /0 1
21/Sep/2001:08  i 0     /16 0   /8 0    /0 0
21/Sep/2001:09  i 0     /16 0   /8 0    /0 0
21/Sep/2001:10  i 1     /16 0   /8 1    /0 2
21/Sep/2001:11  i 0     /16 0   /8 0    /0 0
21/Sep/2001:12  i 0     /16 0   /8 0    /0 0
21/Sep/2001:13  i 1     /16 0   /8 0    /0 0

I don't know whether to be happy, of whether to be in fear of the 
storm to come...

--------------------------------------------------------------------
Tracey Losco
Network Security Analyst		securityat_private
ITS - Network Services			http://www.nyu.edu/its/security
New York University			(212) 998 - 3433

PGP Fingerprint: 8FFB FE47 6156 7BF0  B19E 462B 9DFE 51F5


At 12:46 PM -0400 9/21/01, Portnoy, Gary wrote:
>I heard there were a few reports of Nimda going completely quiet in certain
>netblocks, but none were substantiated.  I haven't seen a single Nimda IIS
>exploit attempt since a little before 10 AM (EST).  I checked my IDS, apache
>logs, IIS logs -- nothing.  Seems like it went silent.  Still seeing CodeRed
>though. Can any one correlate?  I am somewhere in the 12.27 netblock :)
>
>-Gary-
>
>Gary Portnoy
>Network Administrator
>gportnoyat_private
>
>PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mike Lewinski: "Re: Yet Another Nimda Thread (YANT)"
Previous message: Steve Cody: "Nimda probes from way off IP addresses"
In reply to: Portnoy, Gary: "Yet Another Nimda Thread (YANT)"
Next in thread: Mike Lewinski: "Re: Yet Another Nimda Thread (YANT)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 11:44:36 PDT