RE: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?

From: Tony Langdon (tlangdonat_private)
Date: Thu Dec 20 2001 - 14:42:37 PST

Next message: Dayne Jordan: "Re: *MAJOR SECURITY BREACH AT CCBILL**"

Previous message: List-Collector: "RE: DDoS Attacks to several Networks (Switzerland)"
Maybe in reply to: Glenn Forbes Fleming Larratt: "Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > I have logs of an infected host that's not only
> > doing the "GET .../c+dir"
> > thing and scanning for Windows shares, but also
> > scanning for open TCP
> > ports 20, 21, 23, and 25, *and* UDP 161.
> 
> So your web logs are receiving the directory
> transversal attempts...is the first entry a query for
> '/scripts/root.exe'?  

I have seen a massive increase in directory traversal and other IIS exploits
in the last week to 10 days.  Previously, there would only be a handful that
were recorded occasionally in an hour period.  Now, there's 50 or more
attempts an hour.  Has anyone else seen a similar increase in activity?

Also, the attempts in a series are repeated from the same IP address (dozens
in rapid succession ), so whatever is doing the probing is very persistent,
before moving onto the next victim.  There have now been scans from dozens
of very different IPs, again with the same volley of dozens of probes within
a very short period. from each IP.

I haven't seen mich activity on other ports though, except for the
background level of port 111 RPC scans that have been around a while.

---
Outgoing mail has been scanned for viruses
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.310 / Virus Database: 171 - Release Date: 19-Dec-01
 
This correspondence is for the named person’s use only. It may contain
confidential or legally privileged information or both. No confidentiality
or privilege is waived or lost by any mistransmission. If you receive this
correspondence in error, please immediately delete it from your system and
notify the sender. You must not disclose, copy or rely on any part of this
correspondence if you are not the intended recipient.

Any opinions expressed in this message are those of the individual sender.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dayne Jordan: "Re: *MAJOR SECURITY BREACH AT CCBILL**"
Previous message: List-Collector: "RE: DDoS Attacks to several Networks (Switzerland)"
Maybe in reply to: Glenn Forbes Fleming Larratt: "Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 21 2001 - 08:32:24 PST