Re: Has anyone seen this pattern?

From: Jay D. Dyson (jdysonat_private)
Date: Fri Oct 19 2001 - 08:46:25 PDT

  • Next message: H C: "Re: Trojan program"

    -----BEGIN PGP SIGNED MESSAGE-----
    
    On Fri, 19 Oct 2001, VanMeter, John wrote:
    
    > Interesting Pattern... if you look at the below information you can see two
    > things.
    > 	1. All IP address start in the 199.x.x.x 
    > 	2. the attacks use the same 13 attempted HTTP Attacks and 14
    > Suspicious URL
    > The only different one was 199.111.x.x which used 26 HTTP Attacks and 26
    > Suspicious URL.
    
    	What are the URIs requested?  Based on the request count alone,
    I'd suspect it's a bunch of Nimda-infected hosts on the same network.  I
    see plenty of them from the Class A I'm on, and even more from the Class B
    I'm on.
    
    - -Jay
    
      (    (                                                         _______
      ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
    C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) |    = |-'
     `--' `--'  `- Peace without justice is life without living. -'  `------'
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    
    iQCVAwUBO9A8xblDRyqRQ2a9AQGFjQP7BiZqvWlvV+/izf79Ct1Z4twRpv3NUFlv
    rg6JizRH/N0zj25j1wNVfMzZrLm+nMmYWi4PQp47WqHdfN6qGJ3as6R41xK+6XDr
    uhU9BcdBGCgzASgPhRfVG4SivshEHWCqUulfttKYG5ZbiHM/5qhmynYH3ggNtjZg
    oEHjTB0N7ts=
    =tUul
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 10:01:10 PDT