Re: Textbook CodeRed v2 Caught By Snort
From: Nick FitzGerald (nick@virus-l.demon.co.uk)Date: 06/29/02
- Previous message: Hugo van der Kooij: "Re: EarlyBird for Other Attacks?"
- In reply to: Jeremy Junginger: "Textbook CodeRed v2 Caught By Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Jun 2002 13:57:18 +1200 From: Nick FitzGerald <nick@virus-l.demon.co.uk> To: incidents@securityfocus.com
"Jeremy Junginger" <jjunginger@interactcommerce.com> wrote:
> I just wanted to share. ...
Why?
> ... It appears to be a compromised host. ...
Yep...
> ... Any thoughts?
I think someone has never seen a vulnerability scan from Nimda
before.
> [url/www.cert.org/advisories/CA-2001-19.html] WEB-IIS CodeRed v2
> root.exe access
Note this is trying to tell you that it detected an attempt to find
root.exe. It actually has no idea whether that root.exe (if it's
there) was actually deposited by "CodeRed v2" or by anything else.
Importantly though, it is _not_ trying to tell you something like
"CodeRed v2 is responsible for this". The pattern of other gets is
very reminiscent of Nimda, but it could be one of several generic IIS
vulnerability scans. However, according to several virus scanners,
the file you'd expect to d/l from the root of that web server is
Nimda.A, so I'd say the odds are good it was Niomda on the machine
that scanned you.
-- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Hugo van der Kooij: "Re: EarlyBird for Other Attacks?"
- In reply to: Jeremy Junginger: "Textbook CodeRed v2 Caught By Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
