RE: Nimda Infections

From: Jim Harrison (SPG) (jmharr@microsoft.com)
Date: 11/13/01


Subject: RE: Nimda Infections
Date: Mon, 12 Nov 2001 16:52:29 -0800
Message-ID: <9D884881F5E1F24FB845967851720FC301A6F43D@red-msg-12.redmond.corp.microsoft.com>
From: "Jim Harrison (SPG)" <jmharr@microsoft.com>
To: <reilly@speakeasy.net>, <incidents@securityfocus.com>

Something to bear in mind, and something that really tweaks me WRT how
most folks seem to approach the whole Nimda issue:
1. You don't need IIS installed to get infected with Nimda; it has no
less than 5 other vectors to choose from
2. Installing the IIS patches on a web server is not panacea to Nimda
(see #1), just the issues that Nimda exploited
3. The only absolute way to eradicate Nimda is to "nuke & pave" the
infected host and rebuild it OFF THE NETWORK.

Let's not discount the possibility that at least some of these requests
are coming from hosts that are there for the express purpose of
spreading Nimda and its ilk. I know of at least two Verizon-based hosts
that I've pointed out repeatedly only to see them remain on the 'net,
spewing forth their infections requests. If not for my ISA server, I
too may have fallen prey to these insidious jerks.

* Jim Harrison
MCP(NT4, 2K), A+, Network+

-----Original Message-----
From: reilly@speakeasy.net [mailto:reilly@speakeasy.net]
Sent: Monday, November 12, 2001 15:28
To: incidents@securityfocus.com
Subject: Nimda Infections

It's amazing to me when I see the amount of systems still infected with
Nimda. In today's logs I see a huge amount of systems in the ATT
network that are still banging away. I can't even give you the amount
of systems that I'm seeing from China. What is so difficult about
patching your system against the .hta, .htq vuln. I don't mean to go
off on a rant but am I the only one that feels this way? Is everyone
else seeing the same activity?

AT&T
12.101.62.4
12.102.47.51
12.103.156.10
12.103.159.94
12.64.128.3
12.64.134.199
12.72.139.96
12.73.5.135
12.74.161.194
12.75.41.165
12.77.146.214
12.77.148.241
12.77.151.250
12.78.144.115
12.81.109.130
12.81.120.25
12.81.163.216
12.81.2.240
12.83.81.182
12.83.83.74
12.84.96.198
12.87.145.155
12.88.161.248
12.88.173.180
12.89.165.130
12.91.118.157
12.98.144.18
12.99.178.250
12.99.179.10
12.99.28.7
12.99.94.158

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Nimda Infections
    ... Subject: Nimda Infections ... Everything in the logs shows only IIS ... Some of our IIS servers were infected, about 100, and we were ...
    (Incidents)
  • Re: Publishing Nimda Logs
    ... > It is truly sad that so many people are still infected with Nimda. ... Send a formal complaint to the ISP. ... learn about infections within a minute after a machine in their netblock ...
    (Incidents)