> Can someone point me to a recent and fairly complete > Nimda analysis? Don't know why you didn't bother to check CERT: http://www.cert.org/advisories/CA-2001-26.html > I have logs of an infected host that's not only > doing the "GET .../c+dir" > thing and scanning for Windows shares, but also > scanning for open TCP > ports 20, 21, 23, and 25, *and* UDP 161. So your web logs are receiving the directory transversal attempts...is the first entry a query for '/scripts/root.exe'? Also these other ports...20, 21, etc...are you seeing simply SYN packets are your firewall? What about the Windows shares scan...did you capture all of the packet data, or did you get just the SYN packets? > Is this a variant I've not read about, or am I > possibly cross-infected > with Nimda *and* something else? If you were infected w/ Nimda, what makes you think that you'd be *receiving* the scans? If you were infected w/ Nimda, you'd be getting calls or emails from people, or catching it via egress filtering at your firewall. > Any info gratefully received, I'm curious to know why suddenly everyone seems to think that any scanning activity is attributed to a worm. It's pretty clear that many folks are now just posting to the lists w/o doing any of their own background research (as evidenced by Glenn's post), but why even suggest that it's a worm if there is no information to support that assumption? __________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 08:34:13 PST