Wave of Nimda-like hits this morning?

[Michael Sutton <msutton () gwu edu>]

Our snort logs have shown a fairly significant increase in Code Red/Nimda type
scanning for cmd.exe and root.exe over the past several days. I am wondering
if a new variant has emerged.

Michael Sutton


-----Original Message-----
From: Ralph Los [mailto:RLos () enteredge com]
Sent: Tuesday, February 26, 2002 9:47 AM
To: 'incidents () securityfocus com'
Subject: Wave of Nimda-like hits this morning?
Sensitivity: Confidential


Hey,
        I've had multiple clients' Solaris boxes crashing this morning from
what appears to be a Nimda-like 'scripts/..%5c../root.exe', and the usual.
The same old unicode characters are present [%2f, %5c] but a new one has
appeared I haven't seen yet.  This line:

        '
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe '

        appears a few times and I'm not quite sure what to make of it...

        Please keep in mind that came from a Solaris box, Apache log.
Whatever this (maybe) new bug is, it's blowing up these boxes left and
right...can't figure it out.  They're all relatively new 1.3'ish versions I
think.

        Anyone else seeing anything weird?

----------------------------------------|
Ralph M. Los
Sr. Security Consultant and Trainer
          EnterEdge Technology, L.L.C.
          rlos () enteredge com
          (770) 955-9899 x.206
----------------------------------------|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Michael Sutton
msutton () gwu edu


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com