Russell, For the networks I monitor I am seeing similar activity to the original Nimda (same /16 subnet for now). I have, like you, noticed the volume of hits within the network range is different. I am also trying to correlate the connection attempts on port 80 with any attempts via tfpt for the same source/dest combination. This seems to alert me whether a box on my network becomes infected (the tfpt activity only occurs if a 200 OK response is seen to the port 80 activity). So far (thankfully) I have not seen that particular connection combination. from the trenches, Rob ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 15:57:23 PST