My network is a relatively small one, in the scheme of things, but I have noticed that the distribution of nimda hits is not uniform on all the machines. Those I have most to do with are unix boxes, and those which aren't running webservers have the web ports locked off at the firewall. All of my machines but one, including both webservers, get nimda hits at the rate of one or two, maybe three, unique sources per day. The remaining box gets a hit every six minutes or so from source IPs all over the world, and has more or less since the outbreak began. ( I did the math, and that's the actual frequency. ) At one point I opened port 80 and used netcat to see that they were sending. It is in fact nimda. There must be something non-random in the IP address generator that nimda uses, such that the address of this particular box pops out rather more than I could wish for. They can't get in because the ports are blocked and it's the wrong OS, but my logs get huge and other traffic is obscured by the noise. By they way, I noticed yesterday that someone seems to be trying to get CodeRed1 going again. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 10:21:48 PST