Re: Has anyone seen this pattern?

From: Jay D. Dyson (jdysonat_private)
Date: Fri Oct 19 2001 - 08:46:25 PDT

  • Next message: H C: "Re: Trojan program"

    On Fri, 19 Oct 2001, VanMeter, John wrote:
    > Interesting Pattern... if you look at the below information you can see two
    > things.
    > 	1. All IP address start in the 199.x.x.x 
    > 	2. the attacks use the same 13 attempted HTTP Attacks and 14
    > Suspicious URL
    > The only different one was 199.111.x.x which used 26 HTTP Attacks and 26
    > Suspicious URL.
    	What are the URIs requested?  Based on the request count alone,
    I'd suspect it's a bunch of Nimda-infected hosts on the same network.  I
    see plenty of them from the Class A I'm on, and even more from the Class B
    I'm on.
    - -Jay
      (    (                                                         _______
      ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
    C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) |    = |-'
     `--' `--'  `- Peace without justice is life without living. -'  `------'
    Version: 2.6.2
    Comment: See for current keys.
    -----END PGP SIGNATURE-----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 10:01:10 PDT