Security Incidents mailing list archives
Re: Nimda Infections and code red resurgence
From: Dug Song <dugsong () monkey org>
Date: Wed, 8 May 2002 17:33:17 -0400
On Wed, Nov 14, 2001 at 11:17:20AM +1300, Russell Fulton wrote:
Code Red never went a way, it just sleeps on the 19th (or 20th ?)of the month and reawakes on the 1st. Since it is cleared by rebooting then many infections die off over the ten days.
a graph of unique infected hosts per day since December 2000, as seen on our blackhole monitor (watching an unused /8): http://www.monkey.org/~dugsong/worms.jpg
What puzzels me however is that we see to the odd machine in some unrelated /8 probing at very high rates (well over 100 per hour). On at least one ocassion I verified (from the IDS) that the machine was attempting Nimda style attacks on any web server it found.
we have seen these too - check the User-Agent: header, and you may find that some of them are from a free third-party win32 HTTP library (CSHttpClient). widespread scanning for the IIS Unicode directory traversal bug has been going on since late last year - perhaps attackers are trying to hide their scans in all the noise... -d. --- http://www.monkey.org/~dugsong/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Nimda Infections and code red resurgence Dug Song (May 08)