Greetings All, Earlier I posted details of a series of attacks that hit every IIS server on campus that was visible to the Internet over night. I lso suggested that this might be a prototype for a flash type worm. No one else admits to seeing any thing similar so I conclude that this was most likely a simple scripted attack fed with a list of IPs that was gained by a previous reconnaissance scans. I.e. nothing out of the ordinary. (The timing between attacks and the behaviour of the source port numbers suggest a simple sequential script). While looking over the evidence this morning it occurred to me that this is what an attack from a flash worm might look like. Assuming that the worm starts off with a list of all IIS servers (or whatever the target is) on the Net and simply starts scanning sequentially through its list and that it splits its list with any children then all any individual site would see is a sequential attack against its systems from a single IP. So I decided to check and see if anyone else had observed this sort of activity. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 05 2002 - 08:37:32 PST