|
Security Incidents
mailing list archives
Re: Has anyone seen this pattern?
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Fri, 19 Oct 2001 08:46:25 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 19 Oct 2001, VanMeter, John wrote:
Interesting Pattern... if you look at the below information you can see two
things.
1. All IP address start in the 199.x.x.x
2. the attacks use the same 13 attempted HTTP Attacks and 14
Suspicious URL
The only different one was 199.111.x.x which used 26 HTTP Attacks and 26
Suspicious URL.
What are the URIs requested? Based on the request count alone,
I'd suspect it's a bunch of Nimda-infected hosts on the same network. I
see plenty of them from the Class A I'm on, and even more from the Class B
I'm on.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee."-. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) | = |-'
`--' `--' `- Peace without justice is life without living. -' `------'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iQCVAwUBO9A8xblDRyqRQ2a9AQGFjQP7BiZqvWlvV+/izf79Ct1Z4twRpv3NUFlv
rg6JizRH/N0zj25j1wNVfMzZrLm+nMmYWi4PQp47WqHdfN6qGJ3as6R41xK+6XDr
uhU9BcdBGCgzASgPhRfVG4SivshEHWCqUulfttKYG5ZbiHM/5qhmynYH3ggNtjZg
oEHjTB0N7ts=
=tUul
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
| 
Intro
