[42642] in North American Network Operators' Group
Re: Worm probes
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Sep 18 15:48:09 2001
Date: Tue, 18 Sep 2001 14:17:37 -0400
From: Jared Mauch <jared@puck.Nether.net>
To: Ulf Zimmermann <ulf@Alameda.net>
Cc: "Smith, Rick" <rsmith@atsworld.com>,
"'Daniel Senie'" <dts@senie.com>, sigma@pair.com, nanog@merit.edu
Message-ID: <20010918141737.B27971@puck.nether.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010918104603.F2286@seven.alameda.net>; from ulf@Alameda.net on Tue, Sep 18, 2001 at 10:46:03AM -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Sep 18, 2001 at 10:46:03AM -0700, Ulf Zimmermann wrote:
>
> On Tue, Sep 18, 2001 at 10:40:23AM -0400, Smith, Rick wrote:
> >
> >
> > For the past 2 weeks or so, we were averaging 1,200 probes per hour.
> >
> > As of 8 or so this morning, we started averaging > 25,000 per hour!
> >
> > I've noticed that at the same time, we started getting probes from our
> > provider's space (uniquely 23 addresses there), but not our own. Until this
> > morning, we had *0* probes from inside our provider's space.
> >
> > Maybe this is the next round kicking off, looking for things to infect
> > locally before searching the world again.
>
> Simular here, most probes so far are coming from Speakeasy DSL IPs to
> my Speakeasy DSL servers. Haven't checked the others yet. So far
> about 20k probes.
I think it scans your local /16
I've seen other scans from the /16 that my machines reside in.
- Jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
