Re: Nimda Infections and code red resurgence

From: Dug Song (dugsongat_private)
Date: Wed May 08 2002 - 14:33:17 PDT

  • Next message: Justin Shore: "Re: Publishing Nimda Logs"

    On Wed, Nov 14, 2001 at 11:17:20AM +1300, Russell Fulton wrote:
    > Code Red never went a way, it just sleeps on the 19th (or 20th ?)of the 
    > month and reawakes on the 1st.  Since it is cleared by rebooting then 
    > many infections die off over the ten days.
    a graph of unique infected hosts per day since December 2000, as seen
    on our blackhole monitor (watching an unused /8):

    > What puzzels me however is that we see to the odd machine in some
    > unrelated /8 probing at very high rates (well over 100 per hour).
    > On at least one ocassion I verified (from the IDS) that the machine
    > was attempting Nimda style attacks on any web server it found.
    we have seen these too - check the User-Agent: header, and you may
    find that some of them are from a free third-party win32 HTTP library
    (CSHttpClient). widespread scanning for the IIS Unicode directory
    traversal bug has been going on since late last year - perhaps
    attackers are trying to hide their scans in all the noise...
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 08 2002 - 15:26:23 PDT