HP3000-L Archives

September 2001, Week 3

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Jazz Down?
From:
Jeff Kell <[log in to unmask]>
Reply To:
Jeff Kell <[log in to unmask]>
Date:
Fri, 21 Sep 2001 15:52:23 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (22 lines) 
"Senn, Bruce" wrote:
>
> We think now that we were/are seeing nimda infected systems searching for
> other systems listening on port 80.  Internally, we thought we were seeing
> spoofed MAC addresses, starting with 00-00-5e, but that turned out to be
> "normal" behaviour of our routers.

You can get a nimda "scanner" from:

   http://www.eeye.com/html/Research/Tools/nimda.html

It's a freebie, but I wouldn't advise running it on somebody else's
network as it will trigger any nimda monitors they may have going.

I've run it internally and it looks like it works, but have yet to
verify the results are 100% valid and not false positives.

Jeff

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2