Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?

From: Glenn Forbes Fleming Larratt (glrattat_private)
Date: Wed Dec 19 2001 - 21:14:49 PST

Next message: Emil Popov: "sshd brake-in attempts"

Previous message: robhat_private: "RE: *MAJOR SECURITY BREACH AT CCBILL**"
Next in thread: H C: "Re: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
Reply: H C: "Re: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
Reply: Tony Langdon: "RE: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Can someone point me to a recent and fairly complete Nimda analysis?
I have logs of an infected host that's not only doing the "GET .../c+dir"
thing and scanning for Windows shares, but also scanning for open TCP
ports 20, 21, 23, and 25, *and* UDP 161.

Is this a variant I've not read about, or am I possibly cross-infected
with Nimda *and* something else?

Any info gratefully received,
	-g

-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glrattat_private                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Emil Popov: "sshd brake-in attempts"
Previous message: robhat_private: "RE: *MAJOR SECURITY BREACH AT CCBILL**"
Next in thread: H C: "Re: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
Reply: H C: "Re: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
Reply: Tony Langdon: "RE: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 00:04:44 PST