Re: Textbook CodeRed v2 Caught By Snort

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: 06/29/02


Date: Sat, 29 Jun 2002 13:57:18 +1200
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
To: incidents@securityfocus.com


"Jeremy Junginger" <jjunginger@interactcommerce.com> wrote:

> I just wanted to share. ...

Why?

> ... It appears to be a compromised host. ...

Yep...

> ... Any thoughts?

I think someone has never seen a vulnerability scan from Nimda
before.

> [url/www.cert.org/advisories/CA-2001-19.html] WEB-IIS CodeRed v2
> root.exe access

Note this is trying to tell you that it detected an attempt to find
root.exe. It actually has no idea whether that root.exe (if it's
there) was actually deposited by "CodeRed v2" or by anything else.

Importantly though, it is _not_ trying to tell you something like
"CodeRed v2 is responsible for this". The pattern of other gets is
very reminiscent of Nimda, but it could be one of several generic IIS
vulnerability scans. However, according to several virus scanners,
the file you'd expect to d/l from the root of that web server is
Nimda.A, so I'd say the odds are good it was Niomda on the machine
that scanned you.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Publishing Nimda Logs
    ... I would use "pathetic" - the vulnerability for Code Red ... It's Nimda, and it's not gonna stop as long as IPV4 ... network to any but our approved, ... > It is truly sad that so many people are still infected with Nimda. ...
    (Incidents)
  • Re: New? IIS Vulnerability - Just took down my server
    ... > From that log, you are not just vulnerable to Nimda, You have it. ... Based on that log alone, you don't have enough information to conclude ... without the buffer overrun vulnerability) and the mapping for .ida files ... the attempted buffer overrun would not have succeeded. ...
    (microsoft.public.inetserver.iis.security)
  • Re: BlackICE Misinformation
    ... > I remember seeing the incoming alerts in ICECap with BID agent ... nimda and code red before there were sigs. ... on well known exploits that were between 6 mos and a year old at the ... Code red was NOT a new vulnerability. ...
    (comp.security.firewalls)
  • RE: IIS log files, can I have your take on these attacks?
    ... was vulnerable to backdoor attacks never ... Never post a trace like yours on an open list with original IP-Addresses in ... In this case, if its nimda, this machine is infected, and has probably still ... the vulnerability and backdoor on it. ...
    (Security-Basics)