Security Incidents mailing list archives
Re: Same sequence...
From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Tue, 2 Dec 2003 10:12:00 -0500
Dejan Markovic wrote Monday, December 01, 2003 3:01 PM
Does anyone know which tool is being used for this scan. Snort has been logging the same sequence of scans from various IPs to all Web servers on
my
network, regardless that some are IIS and the others Apache. The data is included below.
The tool is the Nimda worm, (or possibly any web scanning tool configured to imitate Nimda). Nimda uses the 16-step probe as shown. Nimda uses overly long encodings of Unicode characters. Some logging software resolves the Unicode partially or wholly, so you will find some variation in Nimda logs between various products. These are years-old attacks against IIS. Apache systems are hit the same as IIS, but are not vulnerable. Patched IIS systems or systems protected by URLScan are not vulnerable. I have seen a sudden resurgence in Nimda scans in the past week, but this happens every few months. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Same sequence... Dejan Markovic (Dec 01)
- Re: Same sequence... James C. Slora Jr. (Dec 02)
- <Possible follow-ups>
- RE: Same sequence... Henderson, Dennis K. (Dec 02)
- Re: Same sequence... Dejan Markovic (Dec 02)
- Re: Same sequence... Resolved Dejan Markovic (Dec 02)