Re: Textbook CodeRed v2 Caught By Snort

[Nick FitzGerald <nick () virus-l demon co uk>]

"Jeremy Junginger" <jjunginger () interactcommerce com> wrote:

> I just wanted to share.  ...

Why?

> ...  It appears to be a compromised host.  ...

Yep...

> ...  Any thoughts?

I think someone has never seen a vulnerability scan from Nimda 
before.

> [url/www.cert.org/advisories/CA-2001-19.html]  WEB-IIS CodeRed v2
> root.exe access

Note this is trying to tell you that it detected an attempt to find 
root.exe.  It actually has no idea whether that root.exe (if it's 
there) was actually deposited by "CodeRed v2" or by anything else.

Importantly though, it is _not_ trying to tell you something like 
"CodeRed v2 is responsible for this".  The pattern of other gets is 
very reminiscent of Nimda, but it could be one of several generic IIS 
vulnerability scans.  However, according to several virus scanners, 
the file you'd expect to d/l from the root of that web server is 
Nimda.A, so I'd say the odds are good it was Niomda on the machine 
that scanned you.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com