Re: Microsoft's Early Xmas Present.

[Ryan Russell <ryan () securityfocus com>]

On Fri, 28 Dec 2001, Jay D. Dyson wrote:

>       Normally I wouldn't be sending this out, but I figure folks need
> to be aware and wary, considering the origin of this intrusion attempt.
>
>       I received an early Xmas present from Microsoft.  No, I didn't get
> XP, nor did I get the latest Office software suite.
>
>       I got a Nimda intrusion attempt.

A tracert would seem to confirm:

 14 43 ms 46 ms 45 ms msftlabs-gw.customer.ALTER.NET [157.130.176.46]
 15 47 ms 46 ms 47 ms 208.217.184.1
 16 48 ms 47 ms 46 ms 192.168.1.1
 17 * * * Request timed out.

That, and an apparant NAT box of some sort.  Which means that it's on some
sort of inside net, and running rampant over the weekend.  Ouch.

But, having worked at a large software company myself in the past, there's
really no reason to think that your average desktop self-admin is going to
know any better.  If anything, it highlights how inadequate expecting
normal people to keep up on patches is.  I'm starting to think more and
more that a 3-month expiration date on Windows is a good idea.  If you
haven't patched in 3 months, then your machine will refuse to do anything
but download patches...

                                        Ryan



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com