Re: Same sequence...

From: James C. Slora Jr. (Jim.Slora_at_phra.com)
Date: 12/02/03

  • Next message: Henderson, Dennis K.: "RE: Same sequence..."
    To: "Dejan Markovic" <dejanmarkovic@hotmail.com>, <INCIDENTS@SECURITYFOCUS.COM>
    Date: Tue, 2 Dec 2003 10:12:00 -0500
    
    

    Dejan Markovic wrote Monday, December 01, 2003 3:01 PM

    > Does anyone know which tool is being used for this scan. Snort has been
    > logging the same sequence of scans from various IPs to all Web servers on
    my
    > network, regardless that some are IIS and the others Apache. The data is
    > included below.

    The tool is the Nimda worm, (or possibly any web scanning tool configured to
    imitate Nimda).
    Nimda uses the 16-step probe as shown. Nimda uses overly long encodings of
    Unicode characters. Some logging software resolves the Unicode partially or
    wholly, so you will find some variation in Nimda logs between various
    products.

    These are years-old attacks against IIS. Apache systems are hit the same as
    IIS, but are not vulnerable. Patched IIS systems or systems protected by
    URLScan are not vulnerable.

    I have seen a sudden resurgence in Nimda scans in the past week, but this
    happens every few months.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Henderson, Dennis K.: "RE: Same sequence..."

    Relevant Pages

    • Re: I was hacked twice the last few days.. 8-(
      ... Gartner was right on IIS... ... Nimda Worm Shows You Can't Always Patch Fast Enough ... should start to investigate less-vulnerable Web server products. ...
      (comp.security.misc)
    • Nimda.E - heads up
      ... It appears to be exploiting the same vulnerabilities Nimda did ... Httpodbc.dll is common on IIS systems and is included in Windows File ... Earn 5% rebate on licenses purchased for Trend Micro ScanMail for ...
      (NT-Bugtraq)
    • Re: Am i safe now?
      ... Thanks for posting ill Run IIS and keep a close eye on my logs as i all wyas ... > 1) Yes you are safe from Nimda and CodeRed ... >> Hi all im runing apache2 as a front end server but now i need to use ... >> Outgoing mail is certified Virus Free. ...
      (microsoft.public.inetserver.iis.security)
    • Re: IIS Seperate Partition?
      ... Nimda did NOT depend on Code ... My recollection was that the CR backdoors were one of the ... Response as well as server support at the time of Nimda so I have vivid ... of Nimda simply misconfigurations from an IIS perspective. ...
      (microsoft.public.inetserver.iis.security)
    • Re: IIS Seperate Partition?
      ... >many variants that came after the original Nimda. ... >Response as well as server support at the time of Nimda so I have vivid ... servers I managed had configs as I've described in this thread and ... >of Nimda simply misconfigurations from an IIS perspective. ...
      (microsoft.public.inetserver.iis.security)