RE: Wave of Nimda-like hits this morning?

From: Brian Mooney (brian@medcontrax.com)
Date: 02/26/02 

From: "Brian Mooney" <brian@medcontrax.com>
To: "'Ralph Los'" <RLos@enteredge.com>, <incidents@securityfocus.com>
Date: Tue, 26 Feb 2002 16:07:59 -0500

I have been seeing those scans pretty nonstop since the outbreak of
Nimda. AT&T tells me that they have blocked Code Red, CRII, and Nimda
upstream, but I still get this traffic 15 times a day or so. Yesterday,
I had one IP hit my machine, looking for cmd.exe 27 times...

-----Original Message-----
From: Ralph Los [mailto:RLos@enteredge.com]
Sent: Tuesday, February 26, 2002 9:47 AM
To: 'incidents@securityfocus.com'
Subject: Wave of Nimda-like hits this morning?
Sensitivity: Confidential

Hey,
        I've had multiple clients' Solaris boxes crashing this morning
from
what appears to be a Nimda-like 'scripts/..%5c../root.exe', and the
usual.
The same old unicode characters are present [%2f, %5c] but a new one has
appeared I haven't seen yet. This line:

        '
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
'

        appears a few times and I'm not quite sure what to make of it...

        Please keep in mind that came from a Solaris box, Apache log.
Whatever this (maybe) new bug is, it's blowing up these boxes left and
right...can't figure it out. They're all relatively new 1.3'ish
versions I
think.

        Anyone else seeing anything weird?

----------------------------------------|
Ralph M. Los
Sr. Security Consultant and Trainer
          EnterEdge Technology, L.L.C.
          rlos@enteredge.com
          (770) 955-9899 x.206
----------------------------------------|

------------------------------------------------------------------------ 

----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: A small quandary
    ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
    (Incidents)
  • RE: Anyone seen this before?
    ... The answer to this is, in task manager, you can right click on any app ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Code Red - A Possible Origin?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Code Red - A Possible Origin?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: fbi.gov weirdness?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)