RE: nimda

[Rodney Wise <sctech29169 () yahoo com>]

I get hit all the time with SQL Spida worm and I am
not running a SQL Server at all! It seems reasonable
that he is getting hit with the Nimda scan, but
because it IS looking for an open port 80 it just
moves on.

Rodney Wise


--- "Hicks, John" <JHicks () JUSTICE GC CA> wrote:
> Nimbda is a hybrid virus composed of both Email and
> Web-Worm componants:
http://www.wired.com/news/technology/0,1282,46944,00.html
> hth,
>
> John
>
> -----Original Message-----
> From: J. Craig Woods
> [mailto:drjung () trismegistus net]
> Sent: Friday, July 12, 2002 4:21 PM
> To: Hugo Ferr; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] nimda
>
>
> Hugo Ferr wrote:
> > I just wonder-we're getting hit by bunch of nimda
> and those e-mails are
> > rejected on our perimeter mail scanner - shouldn't
> I see some activity in
> > snort regarding nimda?
> > (snort 1.8.6)
> > In snort.conf mail scanner is included in home_net
> and snort machine is
> set
> > up to sniff the traffic coming to firewall public
> ip (mail scanner has dmz
> > address nated to public ip by firewall)
> > So again isn't it strange taht I don't see any
> nimda activity in snort
> > sdensor?
>
> Maybe I am missing something here, and it would not
> be the first nor the
> last time that I missed something but wouldn't your
> mail scanner be
> picking traffic up on port 25? Nimda attacks would
> be on port 80.
> Furthermore, are you saying that the nimda is part
> of the email traffic?
> Not sure what you are saying here. Maybe you could
> elucidate for us...
>
> drjung
>
> -- 
> J. Craig Woods
> UNIX Network/System Administration
> http://www.trismegistus.net/resume.html
> Character is built upon the debris of despair
> --Emerson
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Gadgets, caffeine, t-shirts, fun stuff.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Gadgets, caffeine, t-shirts, fun stuff.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users