[Am-info] Interesting observation re Nimbda et al
Geoffrey
esoteric@3times25.net
Wed, 10 Jul 2002 13:39:02 -0400
This is the biggest problem with these buggers. They're scanning blocks
of IPs. They're not even looking for registered domains. I've got two
static ips, one is registered to a domain, the other is not. Both get
the same number of hits.
Sujal Shah wrote:
> I noticed something yesterday that was very odd, and I thought I'd share
> it with everyone.
>
> I set up a new web site yesterday with a new domain and IP at my web
> host. I did this after lunch, because our office network was down, so
> it must have been around 1 PM ET that the domain name was set up on my
> web host.
>
> I got my first Nimda or some other IIS scan virus at 14:02 PM.
>
> By midnight that night I got 21 failures in the period between 2PM and
> midnight, ALL of them IIS vulnerability scans. You can see the logs
> yourself at http://www.sujal.net/traffic/fatmixx_07_102.html.
>
> This is amazing to me... I realize the IP address is in a block owned by
> a major web host, but still, 21 in my first 8 hours of existence.
>
> I wonder how many infected machines are out there. My main site has
> been probed by these things 85+ times since July 1. I've also gotten
> what looks like maybe 5 hits for non-Windows-specific attacks (does
> anyone remember what exploit NULL.printer is associated with? I'll look
> it up later).
>
> Sujal
>
>
--
Until later: Geoffrey esoteric@3times25.net
I didn't have to buy my radio from a specific company to listen
to FM, why doesn't that apply to the Internet (anymore...)?