On Fri, 3 Aug 2001, "James R. Van Zandt" <[EMAIL PROTECTED]> wrote:
> ...
> I read that the original worm used a fixed seed to generate its
> "random" addresses, but that later varients used a random seed.
Ah, that would explain what I am seeing better. Thanks!
Anyway, just when I thought my analysis method was well established
(maybe I could measure how the number of infected systems decreases
with time...) I got deluged with 300 additional port 80 hits this
afternoon!!!
It seems to be a variant (same IIS exploit but different payload) and
is coming to me primarily from Mediaone Cable modem (a /16 subnet).
Anyone see this today or know what it is?
Karl
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
