RE: Wave of Nimda-like hits this morning?

From: Greg Williamson (n120476@phaedrus.national.com.au)
Date: 02/27/02

• Previous message: security: "Re: Wave of Nimda-like hits this morning?"
• Maybe in reply to: Michael Sutton: "Wave of Nimda-like hits this morning?"
• Next in thread: Sterling Moses: "New Attack / New Vulnerability?"
• Reply: Sterling Moses: "New Attack / New Vulnerability?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 27 Feb 2002 11:57:55 +1100 (EST)
From: Greg Williamson <n120476@phaedrus.national.com.au>
To: RLos@enteredge.com, incidents@securityfocus.com, brian@medcontrax.com

>Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
>List-Id: <incidents.list-id.securityfocus.com>
>List-Post: <mailto:incidents@securityfocus.com>
All,

>I have been seeing those scans pretty nonstop since the outbreak of
>Nimda. AT&T tells me that they have blocked Code Red, CRII, and Nimda
>upstream, but I still get this traffic 15 times a day or so. Yesterday,
>I had one IP hit my machine, looking for cmd.exe 27 times...

I've also seen a fair number of these recently. My "record" was 700+ hits from
a machine the was "close" to me. Judicious use of curl indicated the the
machine was infected with Nimda. A recent re-check has shown it to be resolved
now.

Whilst it takes some people quite a while to fix it (or in fact notice it)
("it'll never happen to me") it's slowly dimishing.

I'm also not seeing any apache crashes - Apache 1.3.12 on RH7.0 (plus
appropriate patches)

Greg.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: security: "Re: Wave of Nimda-like hits this morning?"
• Maybe in reply to: Michael Sutton: "Wave of Nimda-like hits this morning?"
• Next in thread: Sterling Moses: "New Attack / New Vulnerability?"
• Reply: Sterling Moses: "New Attack / New Vulnerability?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: NIMDA has a built in timer? No hits lately ... NIMDA has a built in timer? ... > not been touched since 19:15:10 UTC this afternoon. ... hit so far was at 23:48:31 UTC. ... infection spreading across netblocks will probably have used a different ... (Incidents) Re: Microsoft Security Bulletin MS03-007 - 815021 ... >"Gartner recommends that enterprises hit by both Code Red and Nimda ... >applications to Web server software from other vendors, ... Since organizations hit by Code ... (microsoft.public.win2000.security) Re: NIMDA - ceased ? - ... >>04:54, Dec. 23 UTC is the last access of them, around here. ... My latest hit was this morning, ... I believe that Nimda and Code Red are usually dormant at the end of every ... But I agree that many Nimda-like probes are probably script kiddies. ... (Incidents) Re: Microsoft Security Bulletin MS03-007 - 815021 ... >"Gartner recommends that enterprises hit by both Code Red and Nimda ... >applications to Web server software from other vendors, ... Since organizations hit by Code ... (microsoft.public.security) Re: Publishing Nimda Logs ... > by NIMDA and rewrites NIMDA to start patching the systems it infects. ... > were rudely hung up on, this after over 6 months of notifications to them ... > and their upstream ISP Sprint. ... (Vuln-Dev)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-02