What makes you think nimda here? Are there any reports of nimda using other then e-mail and the web to pollinate?
Thanks, Ron DuFresne On Mon, 1 Oct 2001, bob bobing wrote: > could be the numda virus, have you scaned the machines > in question. > --- Michael Janke <[EMAIL PROTECTED]> wrote: > > We've been seeing and increasing number of probes on > > port 524 > > starting about a week ago. > > > > The probes appear to be coming from ordinary PC's, > > both internal and > > external to our network. The probes follow a regular > > pattern of 3 > > probes followed by DNS and Netbios lookups. The > > probes appear to > > scan their own class 'A' and 'B' more often than > > other networks, > > but will jump randomly a percentage of the time. The > > time between > > packets and the packet lengths are very consistent > > across many > > scans. > > > > Port 524 is normally used for Netware 5.x file > > services, but has > > also been associated with an old Linux > > vulnerability. > > > > I've isolated a single scan using Netflow data. > > > > Time SrcIPaddre SrcP DstIPaddress DstP Pr > > Pkts Octets > > > > 09:24:18 A1.29.208.155 1088 A1.29.237.94 524 > > TCP 3 144 > > 09:24:28 A1.29.208.155 1089 A1.29.237.94 524 > > TCP 3 144 > > 09:24:39 A1.29.208.155 1090 A1.29.237.94 524 > > TCP 3 144 > > 09:24:52 A1.29.208.155 137 <nameserver1> 53 > > UDP 6 360 > > 09:24:57 A1.29.208.155 137 <nameserver2> 53 > > UDP 6 360 > > 09:25:01 A1.29.208.155 137 A1.29.237.94 137 > > UDP 3 234 > > > > 09:25:12 A1.29.208.155 1093 A1.201.92.88 524 > > TCP 3 144 > > 09:25:22 A1.29.208.155 1094 A1.201.92.88 524 > > TCP 3 144 > > 09:25:33 A1.29.208.155 1095 A1.201.92.88 524 > > TCP 3 144 > > 09:25:46 A1.29.208.155 137 <nameserver1> 53 > > UDP 6 360 > > 09:25:51 A1.29.208.155 137 <nameserver2> 53 > > UDP 6 360 > > 09:25:55 A1.29.208.155 137 A1.201.92.88 137 > > UDP 3 234 > > > > 09:26:06 A1.29.208.155 1098 A1.29.241.245 524 > > TCP 3 144 > > 09:26:16 A1.29.208.155 1099 A1.29.241.245 524 > > TCP 3 144 > > 09:26:27 A1.29.208.155 1100 A1.29.241.245 524 > > TCP 3 144 > > 09:26:40 A1.29.208.155 137 <nameserver1> 53 > > UDP 6 366 > > 09:26:45 A1.29.208.155 137 <nameserver2> 53 > > UDP 6 366 > > 09:26:49 A1.29.208.155 137 A1.29.241.245 137 > > UDP 3 234 > > > > 09:27:00 A1.29.208.155 1103 A2.242.13.97 524 TCP > > 3 144 > > 09:27:10 A1.29.208.155 1104 A2.242.13.97 524 TCP > > 3 144 > > 09:27:21 A1.29.208.155 1105 A2.242.13.97 524 TCP > > 3 144 > > > > This is a new pattern to us. Has anybody seen > > anthing like it? > > > > --Mike > > > > ----------------------------------------- > > Michael Janke > > Director, Network Services > > Minnesota State Colleges and Universities > > ----------------------------------------- > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > __________________________________________________ > Do You Yahoo!? > Listen to your Yahoo! Mail messages from any phone. > http://phone.yahoo.com > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
