Re: Same sequence...
From: James C. Slora Jr. (Jim.Slora_at_phra.com)
Date: 12/02/03
- Previous message: Bill McCarty: "Re: udp and dst port 1026"
- In reply to: Dejan Markovic: "Same sequence..."
- Next in thread: Henderson, Dennis K.: "RE: Same sequence..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Dejan Markovic" <dejanmarkovic@hotmail.com>, <INCIDENTS@SECURITYFOCUS.COM> Date: Tue, 2 Dec 2003 10:12:00 -0500
Dejan Markovic wrote Monday, December 01, 2003 3:01 PM
> Does anyone know which tool is being used for this scan. Snort has been
> logging the same sequence of scans from various IPs to all Web servers on
my
> network, regardless that some are IIS and the others Apache. The data is
> included below.
The tool is the Nimda worm, (or possibly any web scanning tool configured to
imitate Nimda).
Nimda uses the 16-step probe as shown. Nimda uses overly long encodings of
Unicode characters. Some logging software resolves the Unicode partially or
wholly, so you will find some variation in Nimda logs between various
products.
These are years-old attacks against IIS. Apache systems are hit the same as
IIS, but are not vulnerable. Patched IIS systems or systems protected by
URLScan are not vulnerable.
I have seen a sudden resurgence in Nimda scans in the past week, but this
happens every few months.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Bill McCarty: "Re: udp and dst port 1026"
- In reply to: Dejan Markovic: "Same sequence..."
- Next in thread: Henderson, Dennis K.: "RE: Same sequence..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
