Re: Textbook CodeRed v2 Caught By Snort

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: 06/29/02


Date: Sat, 29 Jun 2002 13:57:18 +1200
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
To: incidents@securityfocus.com


"Jeremy Junginger" <jjunginger@interactcommerce.com> wrote:

> I just wanted to share. ...

Why?

> ... It appears to be a compromised host. ...

Yep...

> ... Any thoughts?

I think someone has never seen a vulnerability scan from Nimda
before.

> [url/www.cert.org/advisories/CA-2001-19.html] WEB-IIS CodeRed v2
> root.exe access

Note this is trying to tell you that it detected an attempt to find
root.exe. It actually has no idea whether that root.exe (if it's
there) was actually deposited by "CodeRed v2" or by anything else.

Importantly though, it is _not_ trying to tell you something like
"CodeRed v2 is responsible for this". The pattern of other gets is
very reminiscent of Nimda, but it could be one of several generic IIS
vulnerability scans. However, according to several virus scanners,
the file you'd expect to d/l from the root of that web server is
Nimda.A, so I'd say the odds are good it was Niomda on the machine
that scanned you.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com