[Dshield] New Nimda ?

Johannes Ullrich jullrich at sans.org
Thu Jul 11 12:16:52 GMT 2002

Can you post any full packets / web logs so we can see if it is somehow different?
The 'ping back' is certainly odd, but it could be caused by some load balancing 
device (hehe.... they try to optimize nimda by sending it through a load balancer)

On Thu, 11 Jul 2002 15:45:26 +1000
"Malcolm Joosse" <malcolm at hotlinesupport.com> wrote:

> Hello All,
> Thank you for everyone submitting to this list, I have learnt alot from the brain trust that activly submits to this list.
> I am currently being attacked by a site on Port 80.  It looks like Nimda and is busy scanning our /22 range, but our firewall  is doing its job.  The weird thing is that when I pingged the attacking host it instantly replyed with 10 ICMP ping packets back to the IP I was pinging from.  Is this a new Nimda varient that I have not heard about ?
> I tried from 3 different hosts and each time I got reversed pingged by the attacking host.
> Very weird.
> Thanks
> Malcolm
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020711/794f7d51/attachment.bin

More information about the list mailing list