-----BEGIN PGP SIGNED MESSAGE----- On Fri, 19 Oct 2001, VanMeter, John wrote: > Interesting Pattern... if you look at the below information you can see two > things. > 1. All IP address start in the 199.x.x.x > 2. the attacks use the same 13 attempted HTTP Attacks and 14 > Suspicious URL > The only different one was 199.111.x.x which used 26 HTTP Attacks and 26 > Suspicious URL. What are the URIs requested? Based on the request count alone, I'd suspect it's a bunch of Nimda-infected hosts on the same network. I see plenty of them from the Class A I'm on, and even more from the Class B I'm on. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee."-. >====<--. C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) | = |-' `--' `--' `- Peace without justice is life without living. -' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO9A8xblDRyqRQ2a9AQGFjQP7BiZqvWlvV+/izf79Ct1Z4twRpv3NUFlv rg6JizRH/N0zj25j1wNVfMzZrLm+nMmYWi4PQp47WqHdfN6qGJ3as6R41xK+6XDr uhU9BcdBGCgzASgPhRfVG4SivshEHWCqUulfttKYG5ZbiHM/5qhmynYH3ggNtjZg oEHjTB0N7ts= =tUul -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 10:01:10 PDT