I did a query of the WEB-IIS cmd.exe access alerts for 8/15 on our 66.0.0.0/8 network and I see 31 sources each send in multiples of 13 attempts. Of the 31 hosts, 3 sources were not from 66/8. One of those was from wanadoo.fr with 130 hits. The hits can come as fast as 2 per second, so I assume that it has to be scripted. This is only an annoyance and does not do anything more that make noise in my logs, but I think it is some sort of worm because of the fact they all send in multiples of 13 and it seems that the odds of having 31 script kiddies running the same script against our site in the same day is fairly low and over a month we have 448 different sources doing the same thing. Just an observation if you are interested. Rich ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 08:43:25 PDT