Richard.Grantat_private wrote: > We have no less than 20 Lexmark printers that were infected. ... **Infected** ??? It seems unlikely that a network interface for any printer would be implemented on a 386+ running NT 4.0 or Win2K and with IIS as its web management interface. As those are the platform requirements for infection via Nimda's HTTP scanning distribution mecahism, I doubt you really mean "infected"... > ... In every case > they did not have up-to-date firmware. This started with Code Red and has > continued with Nimda. There are some notible differences though, Code Red > just started the printers sending out large quantities of packets. The Nimda > infected machines are searching for Web servers. ... That does sound weird. > ... In both cases upgrading the > firmware and restarting the printer has solved the problem. ... So, how big is a ROM image for these things -- with IIS running on NT or Win2K, they can't be small! > ... So far we have > not had any of our HP's infected by Nimda as they were by Code Red. ... Isn't that because HP's network interfaces are implemented as Linux on PowerPC with Apache for the web management interface? > ... This is > what we have found.. No -- that is what you reported. We're still in the dark about what you found. However, I'll hazard a guess about what you found. Your IDS flagged some "odd" traffic coming from your printers as Nimda. At a real stretch, I'll guess this traffic was a variation on the events Dave Taylor and Brian Marshall have reported of some Macs "bouncing" Nimda HTTP probes back to the originating machines (it could be as simple, depending on the IDS and the Nimda signature, as the printer's web interface returning a "not found" error page that included the requested URL). Remember, IDSes are fairly blunt and broad brush tools at the best of times, and doubly so in inexperienced hands. Please folk -- if you see something odd or weird you are not sure about it, post a description of what happened, what you did and what you saw then ask if anyone knows what's going on. For now, rumours of Nimda "infecting" Lexmark printers are exaggerated. Regards, Nick FitzGerald ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 23 2001 - 10:15:49 PDT