Security Incidents mailing list archives
Re: Nimda probes from way off IP addresses
From: Brett Glass <brett () lariat org>
Date: Fri, 21 Sep 2001 14:31:01 -0600
At 12:20 PM 9/21/2001, Steve Cody wrote:
It has been my understanding that the Nimda probes to web servers were always from nearby IP address blocks.
Not always. The worm merely devotes much MORE of its efforts to nearby addresses. Nimda apparently makes very frequent attacks upon the local Class B, fewer upon the local Class A, and fewer still upon the rest of the Net. But it can attack any address. --Brett Glass ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Nimda probes from way off IP addresses Steve Cody (Sep 21)
- <Possible follow-ups>
- Re: Nimda probes from way off IP addresses Brett Glass (Sep 21)