Re: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?

[H C <keydet89 () yahoo com>]

> Can someone point me to a recent and fairly complete
> Nimda analysis?

Don't know why you didn't bother to check CERT:

http://www.cert.org/advisories/CA-2001-26.html

> I have logs of an infected host that's not only
> doing the "GET .../c+dir"
> thing and scanning for Windows shares, but also
> scanning for open TCP
> ports 20, 21, 23, and 25, *and* UDP 161.

So your web logs are receiving the directory
transversal attempts...is the first entry a query for
'/scripts/root.exe'?  

Also these other ports...20, 21, etc...are you seeing
simply SYN packets are your firewall?  What about the
Windows shares scan...did you capture all of the
packet data, or did you get just the SYN packets?
 
> Is this a variant I've not read about, or am I
> possibly cross-infected
> with Nimda *and* something else?

If you were infected w/ Nimda, what makes you think
that  you'd be *receiving* the scans?  If you were
infected w/ Nimda, you'd be getting calls or emails
from people, or catching it via egress filtering at
your firewall.

> Any info gratefully received,

I'm curious to know why suddenly everyone seems to
think that any scanning activity is attributed to a
worm.  It's pretty clear that many folks are now just
posting to the lists w/o doing any of their own
background research (as evidenced by Glenn's post),
but why even suggest that it's a worm if there is no
information to support that assumption?


__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com