Security Incidents mailing list archives

Re: Nimda probes from way off IP addresses

From: Brett Glass <brett () lariat org>
Date: Fri, 21 Sep 2001 14:31:01 -0600

At 12:20 PM 9/21/2001, Steve Cody wrote:

It has been my understanding that the Nimda probes to web servers were
always from nearby IP address blocks.


Not always. The worm merely devotes much MORE of its efforts to nearby
addresses.

Nimda apparently makes very frequent attacks upon the local Class B,
fewer upon the local Class A, and fewer still upon the rest of the Net.
But it can attack any address.

--Brett Glass


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Nimda probes from way off IP addresses Steve Cody (Sep 21)
- <Possible follow-ups>
- Re: Nimda probes from way off IP addresses Brett Glass (Sep 21)