Re: nimda like probes

[Russell Fulton <R.FULTON () auckland ac nz>]

Greetings All,

Earlier I posted details of a series of attacks that hit every IIS
server on campus that was visible to the Internet over night. 

I lso suggested that this might be a prototype for a flash type worm.

No one else admits to seeing any thing similar so I conclude that this
was most likely a simple scripted attack fed with a list of IPs that was
gained by a previous reconnaissance scans.  I.e. nothing out of the
ordinary. (The timing between attacks and the behaviour of the source
port numbers suggest a simple sequential script).

While looking over the evidence this morning it occurred to me that this
is what an attack from a flash worm might look like.  Assuming that the
worm starts off with a list of all IIS servers (or whatever the target
is) on the Net and simply starts scanning sequentially through its list
and that it splits its list with any children then all any individual
site would see is a sequential attack against its systems from a single
IP.  So I decided to check and see if anyone else had observed this sort
of activity.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com