[Am-info] Interesting observation re Nimbda et al

[Sujal Shah]

I noticed something yesterday that was very odd, and I thought I'd share
it with everyone.  

I set up a new web site yesterday with a new domain and IP at my web
host.  I did this after lunch, because our office network was down, so
it must have been around 1 PM ET that the domain name was set up on my
web host.  

I got my first Nimda or some other IIS scan virus at 14:02 PM.  

By midnight that night I got 21 failures in the period between 2PM and
midnight, ALL of them IIS vulnerability scans.  You can see the logs
yourself at http://www.sujal.net/traffic/fatmixx_07_102.html.

This is amazing to me... I realize the IP address is in a block owned by
a major web host, but still, 21 in my first 8 hours of existence.

I wonder how many infected machines are out there.  My main site has
been probed by these things 85+ times since July 1.  I've also gotten
what looks like maybe 5 hits for non-Windows-specific attacks (does
anyone remember what exploit NULL.printer is associated with?  I'll look
it up later).

Sujal

-- 
---- Sujal Shah --- sujal@sujal.net ---

        http://www.sujal.net

Now Playing: Johnny Vicious - Bee Dee / Forever