Security Incidents mailing list archives

Re: Yet Another Nimda Thread (YANT)

From: Tracey Losco <tal1 () acf3 nyu edu>
Date: Fri, 21 Sep 2001 13:43:56 -0400

Are you asking whether anyone has seen a lack of the scans in theirown netblock (ie: 128.122), or in everything inclusive of thatnetblock (ie: 128)?

I found a really cool script from this guy Bryan Andersen on one ofthe newsgroups, that tests for how many pokes you've seen from theNimda worm, and as of 2:00pm yesterday, I haven't seen any frominside our own. See below:

Column i represents .ida requests on our network, column /16 is ournetwork representing a Nimda file request and you know the rest fromthere.


20/Sep/2001:14  i 1     /16 0   /8 2    /0 2
20/Sep/2001:15  i 0     /16 0   /8 1    /0 1
20/Sep/2001:16  i 0     /16 0   /8 0    /0 0
20/Sep/2001:17  i 1     /16 0   /8 0    /0 0
20/Sep/2001:18  i 1     /16 0   /8 1    /0 1
20/Sep/2001:19  i 0     /16 0   /8 0    /0 0
20/Sep/2001:20  i 0     /16 0   /8 0    /0 1
20/Sep/2001:21  i 0     /16 0   /8 0    /0 2
20/Sep/2001:22  i 0     /16 0   /8 0    /0 0
20/Sep/2001:23  i 1     /16 0   /8 0    /0 2
21/Sep/2001:00  i 1     /16 0   /8 0    /0 0
21/Sep/2001:01  i 1     /16 0   /8 1    /0 1
21/Sep/2001:02  i 0     /16 0   /8 2    /0 2
21/Sep/2001:03  i 0     /16 0   /8 1    /0 1
21/Sep/2001:04  i 1     /16 0   /8 1    /0 3
21/Sep/2001:05  i 0     /16 0   /8 3    /0 4
21/Sep/2001:06  i 0     /16 0   /8 1    /0 1
21/Sep/2001:07  i 1     /16 0   /8 0    /0 1
21/Sep/2001:08  i 0     /16 0   /8 0    /0 0
21/Sep/2001:09  i 0     /16 0   /8 0    /0 0
21/Sep/2001:10  i 1     /16 0   /8 1    /0 2
21/Sep/2001:11  i 0     /16 0   /8 0    /0 0
21/Sep/2001:12  i 0     /16 0   /8 0    /0 0
21/Sep/2001:13  i 1     /16 0   /8 0    /0 0

I don't know whether to be happy, of whether to be in fear of thestorm to come...


--------------------------------------------------------------------
Tracey Losco
Network Security Analyst                security () nyu edu
ITS - Network Services                  http://www.nyu.edu/its/security
New York University                     (212) 998 - 3433

PGP Fingerprint: 8FFB FE47 6156 7BF0  B19E 462B 9DFE 51F5


At 12:46 PM -0400 9/21/01, Portnoy, Gary wrote:

I heard there were a few reports of Nimda going completely quiet in certain
netblocks, but none were substantiated.  I haven't seen a single Nimda IIS
exploit attempt since a little before 10 AM (EST).  I checked my IDS, apache
logs, IIS logs -- nothing.  Seems like it went silent.  Still seeing CodeRed
though. Can any one correlate?  I am somewhere in the 12.27 netblock :)

-Gary-

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Yet Another Nimda Thread (YANT) Portnoy, Gary (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Midnight Ryder (Sep 21)
- Re: Yet Another Nimda Thread (YANT) hvdkooij (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Bryan Andersen (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Tracey Losco (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Florian Weimer (Sep 21)
- <Possible follow-ups>
- RE: Yet Another Nimda Thread (YANT) Andrew Blevins (Sep 21)
  - RE: Yet Another Nimda Thread (YANT) Jose Nazario (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Mike Lewinski (Sep 21)
- RE: Yet Another Nimda Thread (YANT) Robert Nieuwhof (Sep 21)
- Re: Yet Another Nimda Thread (YANT) Bryan Andersen (Sep 23)