[42660] in North American Network Operators' Group
Re: Worm Probes
daemon@ATHENA.MIT.EDU (Mark Kent)
Tue Sep 18 17:10:19 2001
Date: Tue, 18 Sep 2001 13:55:12 -0700 (PDT)
Message-Id: <200109182055.NAA39069@noc.mainstreet.net>
From: Mark Kent <mark@mainstreet.net>
To: nanog@merit.edu
In-reply-to: <00e601c14077$29e2cd60$2223f8d8@compu.net> (blarson@compu.net)
Errors-To: owner-nanog-outgoing@merit.edu
>> I had 482 infected hosts scanning my server. Anyone want to see a
>> list so they can look for their hosts send me an email and I will
>> be happy to forward you my infected file
Based on a sample of two, I'm guessing that there might be a
small intersection between lists from different sites...
at least at this early stage.
I took a list I generated from traffic coming into a web server
on my net and applied an ACL which then lit up as expected with
many "hits".
Then, I applied the same list to a circuit at a site I manage, off my
net, and got very few hits. This site has a 10Mb/s jump in traffic
today, so they are seeing this new virus, but it's not by the
same set of 600+ IP addresses that I've seen.
-mark
