"Portnoy, Gary" <gportnoyat_private> writes: > I heard there were a few reports of Nimda going completely quiet in certain > netblocks, but none were substantiated. I haven't seen a single Nimda IIS > exploit attempt since a little before 10 AM (EST). I checked my IDS, apache > logs, IIS logs -- nothing. Seems like it went silent. Still seeing CodeRed > though. Can any one correlate? I am somewhere in the 12.27 netblock :) The scanning is certainly not uniformly distributed. Our IP address space was hit pretty hard on the 18th and 19th, but some hosts were targeted only very lightly. OTOH, we have only a very limited number of infected machines in the local /16 address range (hmm, possibly up to /15 or /14), due to massive efforts to get vulnerable IIS servers off the network, so our data is probably not representative. -- Florian Weimer Florian.Weimerat_private-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 14:32:31 PDT