Does Nimda.E have a different scanning strategy than previous versions?
Although the number of machines that I see probing us on port 80
remains fairly stable I notice that the actual volume of probes has
is up significantly over the last 24 hours. We are also seeing many
more machines in our own class A.
Some stats: (these are of machines that probed port 80 on an address
where nothing was listening over a 1 hour period (0800-0900 UTC +1200)
31 Oct 1 Nov
total number 1960 1947
number in 130.0.0.0/8 7 37 (1)
number with more than 100 8 9
number with more than 10 21 55
number of unicode attacks 12 19 (2)
notes:
1/ we are 130.216.0.0/16
2/ number of host on our network attacked as seen by snort on our DMZ
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 13:32:32 PST