RE: Nimda Infections

From: Jim Harrison (SPG) (jmharrat_private)
Date: Mon Nov 12 2001 - 16:52:29 PST

Next message: Brice Carlson: "Re: sub-7"

Previous message: Dial Joe: "RE: Nimda Infections"
Maybe in reply to: reillyat_private: "Nimda Infections"
Next in thread: Reilly: "RE: Nimda Infections"
Next in thread: Reilly: "RE: Nimda Infections"
Reply: Reilly: "RE: Nimda Infections"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Something to bear in mind, and something that really tweaks me WRT how
most folks seem to approach the whole Nimda issue:
1. You don't need IIS installed to get infected with Nimda; it has no
less than 5 other vectors to choose from
2. Installing the IIS patches on a web server is not panacea to Nimda
(see #1), just the issues that Nimda exploited
3. The only absolute way to eradicate Nimda is to "nuke & pave" the
infected host and rebuild it OFF THE NETWORK.

Let's not discount the possibility that at least some of these requests
are coming from hosts that are there for the express purpose of
spreading Nimda and its ilk.  I know of at least two Verizon-based hosts
that I've pointed out repeatedly only to see them remain on the 'net,
spewing forth their infections requests.  If not for my ISA server, I
too may have fallen prey to these insidious jerks.

* Jim Harrison 
MCP(NT4, 2K), A+, Network+




-----Original Message-----
From: reillyat_private [mailto:reillyat_private] 
Sent: Monday, November 12, 2001 15:28
To: incidentsat_private
Subject: Nimda Infections


It's amazing to me when I see the amount of systems still infected with
Nimda.  In today's logs I see a huge amount of systems in the ATT
network that are still banging away.  I can't even give you the amount
of systems that I'm seeing from China.  What is so difficult about
patching your system against the .hta, .htq vuln.  I don't mean to go
off on a rant but am I the only one that feels this way?  Is everyone
else seeing the same activity?


AT&T
12.101.62.4
12.102.47.51
12.103.156.10
12.103.159.94
12.64.128.3
12.64.134.199
12.72.139.96
12.73.5.135
12.74.161.194
12.75.41.165
12.77.146.214
12.77.148.241
12.77.151.250
12.78.144.115
12.81.109.130
12.81.120.25
12.81.163.216
12.81.2.240
12.83.81.182
12.83.83.74
12.84.96.198
12.87.145.155
12.88.161.248
12.88.173.180
12.89.165.130
12.91.118.157
12.98.144.18
12.99.178.250
12.99.179.10
12.99.28.7
12.99.94.158

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Brice Carlson: "Re: sub-7"
Previous message: Dial Joe: "RE: Nimda Infections"
Maybe in reply to: reillyat_private: "Nimda Infections"
Next in thread: Reilly: "RE: Nimda Infections"
Next in thread: Reilly: "RE: Nimda Infections"
Reply: Reilly: "RE: Nimda Infections"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 07:18:27 PST