Worm attacks

Russell Fulton r.fulton at auckland.ac.nz
Mon Jul 23 18:01:13 EDT 2001

On Mon, 23 Jul 2001 11:44:27 -0400 Carter Bullard <carter at qosient.com> 

> Hey Peter,
>    Thanks, I am primarily interested in methods for detecting
> infested servers from the logs.  Yours is really nice because
> its not vulnerability signature detection, it's actually a
> general behavioral deviation test, so that no matter if the
> worm got on through the network, a modem, or a floopy disk,
> you'll pick up the behavioral changes that the worm induces.

my watcher script picked up the outgoing scans as soon as they started.
(snort missed the CRV2, but caught CRV1!)

Some time after midnight UTC when the worm stopped scanning I ran ra:

ra -ncr <hourly file> -Zb dst net 130.216 and not est | grep S_ | wc -l

To count the number of incoming web probes that never got more than a 
SYN and posted the following data to our computer support list:

here is a count of the inbound web request to unassigned IP addresses 

10-11am 20348
11-12am 52180
12am-1pm 7677
2-3 pm   2469
3-4 pm   1979

Times are UTC +1200.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the argus mailing list