RE: Wave of Nimda-like hits this morning?

[Greg Williamson <n120476 () phaedrus national com au>]

> Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
> List-Id: <incidents.list-id.securityfocus.com>
> List-Post: <mailto:incidents () securityfocus com>
All,

> I have been seeing those scans pretty nonstop since the outbreak of
> Nimda.  AT&T tells me that they have blocked Code Red, CRII, and Nimda
> upstream, but I still get this traffic 15 times a day or so.  Yesterday,
> I had one IP hit my machine, looking for cmd.exe 27 times...

I've also seen a fair number of these recently.  My "record" was 700+ hits from 
a machine the was "close" to me.  Judicious use of curl indicated the the 
machine was infected with Nimda.  A recent re-check has shown it to be resolved 
now.

Whilst it takes some people quite a while to fix it (or in fact notice it) 
("it'll never happen to me")  it's slowly dimishing.

I'm also not seeing any apache crashes - Apache 1.3.12 on RH7.0 (plus 
appropriate patches)

Greg.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com