Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Same sequence...

From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Tue, 2 Dec 2003 10:12:00 -0500
Dejan Markovic wrote Monday, December 01, 2003 3:01 PM


Does anyone know which tool is being used for this scan. Snort has been
logging the same sequence of scans from various IPs to all Web servers on

my

network, regardless that some are IIS and the others Apache. The data is
included below.


The tool is the Nimda worm, (or possibly any web scanning tool configured to
imitate Nimda).
Nimda uses the 16-step probe as shown. Nimda uses overly long encodings of
Unicode characters. Some logging software resolves the Unicode partially or
wholly, so you will find some variation in Nimda logs between various
products.

These are years-old attacks against IIS. Apache systems are hit the same as
IIS, but are not vulnerable. Patched IIS systems or systems protected by
URLScan are not vulnerable.

I have seen a sudden resurgence in Nimda scans in the past week, but this
happens every few months.



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: