Re: NIMDA - ceased ? -

From: James C. Slora Jr. (Jim.Slora@phra.com)
Date: 12/27/02

  • Next message: H C: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
    Date: Fri, 27 Dec 2002 13:36:51 -0500
    From: "James C. Slora Jr." <Jim.Slora@phra.com>
    To: incidents@securityfocus.com
    
    

    Neil Dickey wrote Friday, December 27, 2002 12:25 PM

    > Tomo <tomo@c-wind.com> wrote asking:
    >
    > >Is NIMDA ...(GET /scripts/..%252f../winnt/system32 ...something)
    > >ceased ?
    > >04:54, Dec. 23 UTC is the last access of them, around here.
    >
    > No, not around here anyway. My latest hit was this morning, the
    > 27th. I will say that traffic levels for this one are somewhat
    > reduced from what they have been, and days may pass without any
    > hits.
    >
    > My guess is that what we're seeing now isn't entirely the worm
    > operating, but that the worm's exploit has been incorporated into
    > various scripts.

    I believe that Nimda and Code Red are usually dormant at the end of every
    month anyway. They'll be back in a few days.

    But I agree that many Nimda-like probes are probably script kiddies. If you
    are talking about just the one particular hit that Tomo listed, most of my
    query sources have been script kiddies rather than Nimda.

    - Jim

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com



    Relevant Pages

    • Re: NIMDA has a built in timer? No hits lately
      ... NIMDA has a built in timer? ... > not been touched since 19:15:10 UTC this afternoon. ... hit so far was at 23:48:31 UTC. ... infection spreading across netblocks will probably have used a different ...
      (Incidents)
    • Re: Microsoft Security Bulletin MS03-007 - 815021
      ... >"Gartner recommends that enterprises hit by both Code Red and Nimda ... >applications to Web server software from other vendors, ... Since organizations hit by Code ...
      (microsoft.public.security)
    • Re: Microsoft Security Bulletin MS03-007 - 815021
      ... >"Gartner recommends that enterprises hit by both Code Red and Nimda ... >applications to Web server software from other vendors, ... Since organizations hit by Code ...
      (microsoft.public.win2000.security)
    • RE: Wave of Nimda-like hits this morning?
      ... AT&T tells me that they have blocked Code Red, CRII, and Nimda ... >upstream, but I still get this traffic 15 times a day or so. ... >I had one IP hit my machine, ...
      (Incidents)