On Wed, Nov 14, 2001 at 11:17:20AM +1300, Russell Fulton wrote: > Code Red never went a way, it just sleeps on the 19th (or 20th ?)of the > month and reawakes on the 1st. Since it is cleared by rebooting then > many infections die off over the ten days. a graph of unique infected hosts per day since December 2000, as seen on our blackhole monitor (watching an unused /8): http://www.monkey.org/~dugsong/worms.jpg > What puzzels me however is that we see to the odd machine in some > unrelated /8 probing at very high rates (well over 100 per hour). > On at least one ocassion I verified (from the IDS) that the machine > was attempting Nimda style attacks on any web server it found. we have seen these too - check the User-Agent: header, and you may find that some of them are from a free third-party win32 HTTP library (CSHttpClient). widespread scanning for the IIS Unicode directory traversal bug has been going on since late last year - perhaps attackers are trying to hide their scans in all the noise... -d. --- http://www.monkey.org/~dugsong/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 08 2002 - 15:26:23 PDT
