Neil Dickey wrote Friday, December 27, 2002 12:25 PM > Tomo <tomo@c-wind.com> wrote asking: > > >Is NIMDA ...(GET /scripts/..%252f../winnt/system32 ...something) > >ceased ? > >04:54, Dec. 23 UTC is the last access of them, around here. > > No, not around here anyway. My latest hit was this morning, the > 27th. I will say that traffic levels for this one are somewhat > reduced from what they have been, and days may pass without any > hits. > > My guess is that what we're seeing now isn't entirely the worm > operating, but that the worm's exploit has been incorporated into > various scripts. I believe that Nimda and Code Red are usually dormant at the end of every month anyway. They'll be back in a few days. But I agree that many Nimda-like probes are probably script kiddies. If you are talking about just the one particular hit that Tomo listed, most of my query sources have been script kiddies rather than Nimda. - Jim ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 15:42:03 PST