Re: Microsoft's Early Xmas Present.

From: Ryan Russell (ryan@securityfocus.com)
Date: 12/30/01 

Date: Sat, 29 Dec 2001 22:04:14 -0700 (MST)
From: Ryan Russell <ryan@securityfocus.com>
To: "Jay D. Dyson" <jdyson@treachery.net>

On Fri, 28 Dec 2001, Jay D. Dyson wrote:

> Normally I wouldn't be sending this out, but I figure folks need
> to be aware and wary, considering the origin of this intrusion attempt.
>
> I received an early Xmas present from Microsoft. No, I didn't get
> XP, nor did I get the latest Office software suite.
>
> I got a Nimda intrusion attempt.

A tracert would seem to confirm:

 14 43 ms 46 ms 45 ms msftlabs-gw.customer.ALTER.NET [157.130.176.46]
 15 47 ms 46 ms 47 ms 208.217.184.1
 16 48 ms 47 ms 46 ms 192.168.1.1
 17 * * * Request timed out.

That, and an apparant NAT box of some sort. Which means that it's on some
sort of inside net, and running rampant over the weekend. Ouch.

But, having worked at a large software company myself in the past, there's
really no reason to think that your average desktop self-admin is going to
know any better. If anything, it highlights how inadequate expecting
normal people to keep up on patches is. I'm starting to think more and
more that a 3-month expiration date on Windows is a good idea. If you
haven't patched in 3 months, then your machine will refuse to do anything
but download patches...

                                        Ryan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: AMD64 VM panic with >8 GB memory
    ... >> recovered to sort this out. ... I can test any patches ... > you devise. ... I also suspect that this problem is ...
    (freebsd-current)
  • Re: statistics [was something else]
    ... accusing them of espousing with worries about "bad patches" and the ... The point is, yes, the sort of "logic" he's assuming is being used ... sometimes a sig is just a sig. ...
    (rec.arts.sf.written)
  • Re: Possibly bug in radix_tree_delete, and fix.
    ... And add in the previous enhancements you made? ... was never able to sort out the patches you sent. ... I don't think the patches I sent before would look any different now ... Send instant messages to your online friends http://au.messenger.yahoo.com - ...
    (Linux-Kernel)
  • Re: pilesize option (was Re: A myriad of questions)
    ... any patches. ... Could anyone post a sort of "for dummies" approach to ... patching nethack, or maybe link to a site that has one? ...
    (rec.games.roguelike.nethack)
  • netfxupdate.exe
    ... We're running W2K Pro SP4 with all the latest patches. ... is it evidence of an intrusion? ...
    (microsoft.public.win2000.registry)