Re: NIMDA - ceased ? -

• Previous message: Hornat, Charles: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
• Maybe in reply to: Tomo: "NIMDA - ceased ? -"
• Next in thread: James C. Slora Jr.: "Re: NIMDA - ceased ? -"
• Reply: James C. Slora Jr.: "Re: NIMDA - ceased ? -"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 27 Dec 2002 11:25:35 -0600 (CST)
From: Neil Dickey <neil@geol.niu.edu>
To: incidents@securityfocus.com

Tomo <tomo@c-wind.com> wrote asking:

>Is NIMDA ...(GET /scripts/..%252f../winnt/system32 ...something)
>ceased ?
>04:54, Dec. 23 UTC is the last access of them, around here.

No, not around here anyway. My latest hit was this morning, the
27th. I will say that traffic levels for this one are somewhat
reduced from what they have been, and days may pass without any
hits.

My guess is that what we're seeing now isn't entirely the worm
operating, but that the worm's exploit has been incorporated into
various scripts.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Next message: Johannes Ullrich: "Re: NIMDA - ceased ? -"
• Previous message: Hornat, Charles: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
• Maybe in reply to: Tomo: "NIMDA - ceased ? -"
• Next in thread: James C. Slora Jr.: "Re: NIMDA - ceased ? -"
• Reply: James C. Slora Jr.: "Re: NIMDA - ceased ? -"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]