Except for unusual activity on the 29th of November and the 1st of December, the past few days were rather uneventful.

The most prominent signatures for the past few days were of the typical Welchia / Nachi pattern as described in one of our previous analysis.

There was a very noticable drop in awstat and xmlrpc.php related activity that has been predominant for the past few weeks.

The activities on November 29 and December 1 were unusual though and worth a second look. These activities were:

1. A peculiar shellcode activity on the 29th of November 2005
2. A heavy UDP portsweep which turned out to be some very strange DNS activity on the 1st of December 2005

Both activities are still currently unexplained though I have a theory that the DNS activity on December 1 might be DNS poisoning related attacks.