Well, I have to say that it is disappointing. Not only in the fact that these people don't clean their systems, but that this is one of the few things that I see. Most of my system logs are full of ONLY worm attacks. I don't even get that many newbie vuln scans. I get about 10 of them a YEAR! My company is Fortune 500 and this is all I get. I guess I should count my blessings but it does beg the question of "where is the REAL Inet fear?" I've seen a lot of postings to this group about attacks, however, most of them are pretty basic and there's not that many of them. I hate to nullify the security vendor's fear tactics but I don't see that much on a day to day basis. Am I alone? -----Original Message----- From: Chip McClure [mailto:vhm3at_private] Sent: Monday, November 12, 2001 4:55 PM To: reillyat_private Cc: incidentsat_private Subject: Re: Nimda Infections -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No, you're not alone. I'm on the 24.x subnet, and I still get a ton of them banging away on my BSD box. On some of the class C's that I admin, I have seen a decrease, substantial, but not dramtic, on some of the 206.x & 216.x subnets. It's really frustrating, and aggrivating, to watch the amount of hist coming in, over & over from the same group of clients. I've been tempted to send the list to my ISP, but have held my patience for now. A lot of what I've read, is total ignorance on the users part - most don't even know that they're running a web server. I know, it is ignorance, but they should have some common sense, or mild technical abilities to see what is going on in their machine. Chip - ----- Chip McClure Sr. Unix Administrator GigGuardian, Inc. http://www.gigguardian.com/ - ----- On Mon, 12 Nov 2001 reillyat_private wrote: > It's amazing to me when I see the amount of systems still infected with Nimda. In today's logs I see a huge amount of systems in the ATT network that are still banging away. I can't even give you the amount of systems that I'm seeing from China. What is so difficult about patching your system against the .hta, .htq vuln. I don't mean to go off on a rant but am I the only one that feels this way? Is everyone else seeing the same activity? > > > AT&T > 12.101.62.4 > 12.102.47.51 > 12.103.156.10 > 12.103.159.94 > 12.64.128.3 > 12.64.134.199 > 12.72.139.96 > 12.73.5.135 > 12.74.161.194 > 12.75.41.165 > 12.77.146.214 > 12.77.148.241 > 12.77.151.250 > 12.78.144.115 > 12.81.109.130 > 12.81.120.25 > 12.81.163.216 > 12.81.2.240 > 12.83.81.182 > 12.83.83.74 > 12.84.96.198 > 12.87.145.155 > 12.88.161.248 > 12.88.173.180 > 12.89.165.130 > 12.91.118.157 > 12.98.144.18 > 12.99.178.250 > 12.99.179.10 > 12.99.28.7 > 12.99.94.158 > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBO/BvfIxq/3tb9j7EEQK7VACfUZTKKwLdP6zh/cwrYH6rxAbVvEIAoLaG woMnxi4PV60J+XwrhvOllDTD =lg18 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 07:32:46 PST