Security Incidents mailing list archives
RE: Wave of Nimda-like hits this morning?
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Tue, 26 Feb 2002 19:10:39 -0600
My apache is receiving a lot of iis attacks too :-) I have seen changes or additions to the GET request to exploit IIS. Sad to say, some of the iis servers that are compromised is not well taken cared of the owner of that box due to zero knowledge about it. -> -----Original Message----- -> From: Brian Mooney [mailto:brian () medcontrax com] -> Sent: Tuesday, February 26, 2002 3:08 PM -> To: 'Ralph Los'; incidents () securityfocus com -> Subject: RE: Wave of Nimda-like hits this morning? -> Sensitivity: Confidential -> -> -> I have been seeing those scans pretty nonstop since the outbreak of -> Nimda. AT&T tells me that they have blocked Code Red, CRII, -> and Nimda -> upstream, but I still get this traffic 15 times a day or so. -> Yesterday, -> I had one IP hit my machine, looking for cmd.exe 27 times... -> -> -> -> -> -> -> -----Original Message----- -> From: Ralph Los [mailto:RLos () enteredge com] -> Sent: Tuesday, February 26, 2002 9:47 AM -> To: 'incidents () securityfocus com' -> Subject: Wave of Nimda-like hits this morning? -> Sensitivity: Confidential -> -> Hey, -> I've had multiple clients' Solaris boxes crashing this morning -> from -> what appears to be a Nimda-like 'scripts/..%5c../root.exe', and the -> usual. -> The same old unicode characters are present [%2f, %5c] but a -> new one has -> appeared I haven't seen yet. This line: -> -> ' -> /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/syste -> m32/cmd.exe -> ' -> -> appears a few times and I'm not quite sure what to make of it... -> -> Please keep in mind that came from a Solaris box, Apache log. -> Whatever this (maybe) new bug is, it's blowing up these -> boxes left and -> right...can't figure it out. They're all relatively new 1.3'ish -> versions I -> think. -> -> Anyone else seeing anything weird? -> -> ----------------------------------------| -> Ralph M. Los -> Sr. Security Consultant and Trainer -> EnterEdge Technology, L.L.C. -> rlos () enteredge com -> (770) 955-9899 x.206 -> ----------------------------------------| -> -> -> ------------------------------------------------------------- -> ----------- -> ---- -> This list is provided by the SecurityFocus ARIS analyzer service. -> For more information on this free incident handling, management -> and tracking system please see: http://aris.securityfocus.com -> -> -> ------------------------------------------------------------- -> --------------- -> This list is provided by the SecurityFocus ARIS analyzer service. -> For more information on this free incident handling, management -> and tracking system please see: http://aris.securityfocus.com -> -> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Wave of Nimda-like hits this morning?, (continued)
- Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 26)
- PHP exploit (Was Re: Wave of Nimda-like hits this morning?) Chris Adams (Feb 27)
- RE: Wave of Nimda-like hits this morning? Brian Mooney (Feb 26)
- Re: Wave of Nimda-like hits this morning? John Brahy (Feb 26)
- Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 27)
- Re: Wave of Nimda-like hits this morning? Benjamin Morin (Feb 28)
- RE: Wave of Nimda-like hits this morning? Christopher L. Morrow (Feb 27)
- Re: Wave of Nimda-like hits this morning? John Brahy (Feb 26)
- Re: Wave of Nimda-like hits this morning? security (Feb 26)
- Re: Wave of Nimda-like hits this morning? Erick Brockway (Feb 27)
- Wave of Nimda-like hits this morning? Michael Sutton (Feb 26)
- RE: Wave of Nimda-like hits this morning? Ronneil Camara (Feb 26)
- RE: Wave of Nimda-like hits this morning? Greg Williamson (Feb 26)
- New Attack / New Vulnerability? Sterling Moses (Feb 27)
- Re: New Attack / New Vulnerability? Mark Seiden (Feb 27)
- New Attack / New Vulnerability? Sterling Moses (Feb 27)
- RE: Wave of Nimda-like hits this morning? Darren Young (Feb 27)
- RE: Wave of Nimda-like hits this morning? Scott A. Barbour (Feb 27)
- Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 26)