Re: NIMDA - ceased ? -
From: James C. Slora Jr. (Jim.Slora@phra.com)
Date: 12/27/02
- Previous message: Skip Carter: "Re: NIMDA - ceased ? -"
- In reply to: Neil Dickey: "Re: NIMDA - ceased ? -"
- Next in thread: Johannes Ullrich: "Re: NIMDA - ceased ? -"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Dec 2002 13:36:51 -0500 From: "James C. Slora Jr." <Jim.Slora@phra.com> To: incidents@securityfocus.com
Neil Dickey wrote Friday, December 27, 2002 12:25 PM
> Tomo <tomo@c-wind.com> wrote asking:
>
> >Is NIMDA ...(GET /scripts/..%252f../winnt/system32 ...something)
> >ceased ?
> >04:54, Dec. 23 UTC is the last access of them, around here.
>
> No, not around here anyway. My latest hit was this morning, the
> 27th. I will say that traffic levels for this one are somewhat
> reduced from what they have been, and days may pass without any
> hits.
>
> My guess is that what we're seeing now isn't entirely the worm
> operating, but that the worm's exploit has been incorporated into
> various scripts.
I believe that Nimda and Code Red are usually dormant at the end of every
month anyway. They'll be back in a few days.
But I agree that many Nimda-like probes are probably script kiddies. If you
are talking about just the one particular hit that Tomo listed, most of my
query sources have been script kiddies rather than Nimda.
- Jim
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: H C: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Previous message: Skip Carter: "Re: NIMDA - ceased ? -"
- In reply to: Neil Dickey: "Re: NIMDA - ceased ? -"
- Next in thread: Johannes Ullrich: "Re: NIMDA - ceased ? -"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
