I've noticed quite a few hosts scanning for a couple of the vulnerabilities used in the old IIS worms. For example, this afternoon I've seen scans from just over 500 highly diverse source IPs across 6 class Cs here. These don't match the normal worm scanning behaviour: - each IP scans only a small number of hosts - the largest number of requests I've seen from a single IP is 8 and most scan just one host with a couple requests- the hosts scanned do not overlap - the scans are staggered, so we'll get a small batch every 3-10 minutes - the cycle of scans has repeated for the last few days at what appears to be long (>1 day) intervals- the IPs aren't scanned contiguously I have trouble believing someone would go to the trouble of collecting compromised hosts and then waste them stealthily scanning for vulnerabilities which even inattentive admins are likely to have patched and will trigger any halfway decent IDS but a quick google didn't turn up anything much. Does anyone know what might be causing this? Chris ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Feb 23 2002 - 05:19:34 PST