"Senn, Bruce" wrote:
>
> We think now that we were/are seeing nimda infected systems searching for
> other systems listening on port 80. Internally, we thought we were seeing
> spoofed MAC addresses, starting with 00-00-5e, but that turned out to be
> "normal" behaviour of our routers.
You can get a nimda "scanner" from:
http://www.eeye.com/html/Research/Tools/nimda.html
It's a freebie, but I wouldn't advise running it on somebody else's
network as it will trigger any nimda monitors they may have going.
I've run it internally and it looks like it works, but have yet to
verify the results are 100% valid and not false positives.
Jeff
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *