RE: Nimda Infections

From: Jim Harrison (SPG) (jmharrat_private)
Date: Mon Nov 12 2001 - 16:52:29 PST

  • Next message: Brice Carlson: "Re: sub-7"

    Something to bear in mind, and something that really tweaks me WRT how
    most folks seem to approach the whole Nimda issue:
    1. You don't need IIS installed to get infected with Nimda; it has no
    less than 5 other vectors to choose from
    2. Installing the IIS patches on a web server is not panacea to Nimda
    (see #1), just the issues that Nimda exploited
    3. The only absolute way to eradicate Nimda is to "nuke & pave" the
    infected host and rebuild it OFF THE NETWORK.
    
    Let's not discount the possibility that at least some of these requests
    are coming from hosts that are there for the express purpose of
    spreading Nimda and its ilk.  I know of at least two Verizon-based hosts
    that I've pointed out repeatedly only to see them remain on the 'net,
    spewing forth their infections requests.  If not for my ISA server, I
    too may have fallen prey to these insidious jerks.
    
    * Jim Harrison 
    MCP(NT4, 2K), A+, Network+
    
    
    
    
    -----Original Message-----
    From: reillyat_private [mailto:reillyat_private] 
    Sent: Monday, November 12, 2001 15:28
    To: incidentsat_private
    Subject: Nimda Infections
    
    
    It's amazing to me when I see the amount of systems still infected with
    Nimda.  In today's logs I see a huge amount of systems in the ATT
    network that are still banging away.  I can't even give you the amount
    of systems that I'm seeing from China.  What is so difficult about
    patching your system against the .hta, .htq vuln.  I don't mean to go
    off on a rant but am I the only one that feels this way?  Is everyone
    else seeing the same activity?
    
    
    AT&T
    12.101.62.4
    12.102.47.51
    12.103.156.10
    12.103.159.94
    12.64.128.3
    12.64.134.199
    12.72.139.96
    12.73.5.135
    12.74.161.194
    12.75.41.165
    12.77.146.214
    12.77.148.241
    12.77.151.250
    12.78.144.115
    12.81.109.130
    12.81.120.25
    12.81.163.216
    12.81.2.240
    12.83.81.182
    12.83.83.74
    12.84.96.198
    12.87.145.155
    12.88.161.248
    12.88.173.180
    12.89.165.130
    12.91.118.157
    12.98.144.18
    12.99.178.250
    12.99.179.10
    12.99.28.7
    12.99.94.158
    
    ------------------------------------------------------------------------
    ----
    This list is provided by the SecurityFocus ARIS analyzer service. For
    more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 07:18:27 PST