RE: Nimda.E having an impact ??

From: Kinsey, Robert (Robert.Kinseyat_private)
Date: Wed Oct 31 2001 - 14:53:01 PST

  • Next message: John Sage: "Re: Should I be concerned about?"

    Russell,
    
    For the networks I monitor I am seeing similar activity to the original
    Nimda (same /16 subnet for now).  I have, like you, noticed the volume of
    hits within the network range is different.  I am also trying to correlate
    the connection attempts on port 80 with any attempts via tfpt for the same
    source/dest combination.  This seems to alert me whether a box on my network
    becomes infected (the tfpt activity only occurs if a 200 OK response is seen
    to the port 80 activity).  So far (thankfully) I have not seen that
    particular connection combination.
    
    from the trenches,
    
    Rob
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 15:57:23 PST