Michael: On Tue, Oct 01, 2002 at 09:37:18AM -0700, Scott, Michael R. wrote: > Correction/update to my earlier post: > It seems to be scanning random chunks of addresses, not /16's, see below for > a listing of targets probed over a 75 second period. Notice how it starts > off with incrementing the host of a /24 then jumps to a different /8 and > increments only the first octet. Yesterday night's NAV signatures detect it > as W32.Opaserv.Worm. A view of the properties of the file show a C time of > this past Sat night (9/28 19:32 PST), and an M time of 1/1/70. What is the relationship between the IP this scanning host had, and the IP blocks it started scanning, or the IP blocks it scanned at all? Any? > 181.5.73.183 > 181.5.73.184 > 181.5.73.185 > 181.5.73.186 > 181.5.73.187 > 181.5.73.188 > 181.5.73.189 <snippage> - John -- "It's a troll! Run!^H^H^H^H Laugh!" PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 18:43:11 PDT