I don't think I've seen a posting or action of the Nimda worm to infect anything other than IIS. I have over 500 Netscape servers on the net and none of them have had any problems. Everything in the logs shows only IIS exploits. Some of our IIS servers were infected, about 100, and we were able to clean them all with little to no problem without reformatting the systems. Has anyone seen anything similar to what Jim has seen? TrendMicro analysis of Nimda.A http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A&VS ect=T -----Original Message----- From: Jim Harrison (SPG) [mailto:jmharrat_private] Sent: Monday, November 12, 2001 4:52 PM To: reillyat_private; incidentsat_private Subject: RE: Nimda Infections Something to bear in mind, and something that really tweaks me WRT how most folks seem to approach the whole Nimda issue: 1. You don't need IIS installed to get infected with Nimda; it has no less than 5 other vectors to choose from 2. Installing the IIS patches on a web server is not panacea to Nimda (see #1), just the issues that Nimda exploited 3. The only absolute way to eradicate Nimda is to "nuke & pave" the infected host and rebuild it OFF THE NETWORK. Let's not discount the possibility that at least some of these requests are coming from hosts that are there for the express purpose of spreading Nimda and its ilk. I know of at least two Verizon-based hosts that I've pointed out repeatedly only to see them remain on the 'net, spewing forth their infections requests. If not for my ISA server, I too may have fallen prey to these insidious jerks. * Jim Harrison MCP(NT4, 2K), A+, Network+ -----Original Message----- From: reillyat_private [mailto:reillyat_private] Sent: Monday, November 12, 2001 15:28 To: incidentsat_private Subject: Nimda Infections It's amazing to me when I see the amount of systems still infected with Nimda. In today's logs I see a huge amount of systems in the ATT network that are still banging away. I can't even give you the amount of systems that I'm seeing from China. What is so difficult about patching your system against the .hta, .htq vuln. I don't mean to go off on a rant but am I the only one that feels this way? Is everyone else seeing the same activity? AT&T 12.101.62.4 12.102.47.51 12.103.156.10 12.103.159.94 12.64.128.3 12.64.134.199 12.72.139.96 12.73.5.135 12.74.161.194 12.75.41.165 12.77.146.214 12.77.148.241 12.77.151.250 12.78.144.115 12.81.109.130 12.81.120.25 12.81.163.216 12.81.2.240 12.83.81.182 12.83.83.74 12.84.96.198 12.87.145.155 12.88.161.248 12.88.173.180 12.89.165.130 12.91.118.157 12.98.144.18 12.99.178.250 12.99.179.10 12.99.28.7 12.99.94.158 ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 07:29:25 PST