I have been seeing those scans pretty nonstop since the outbreak of Nimda. AT&T tells me that they have blocked Code Red, CRII, and Nimda upstream, but I still get this traffic 15 times a day or so. Yesterday, I had one IP hit my machine, looking for cmd.exe 27 times... -----Original Message----- From: Ralph Los [mailto:RLosat_private] Sent: Tuesday, February 26, 2002 9:47 AM To: 'incidentsat_private' Subject: Wave of Nimda-like hits this morning? Sensitivity: Confidential Hey, I've had multiple clients' Solaris boxes crashing this morning from what appears to be a Nimda-like 'scripts/..%5c../root.exe', and the usual. The same old unicode characters are present [%2f, %5c] but a new one has appeared I haven't seen yet. This line: ' /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe ' appears a few times and I'm not quite sure what to make of it... Please keep in mind that came from a Solaris box, Apache log. Whatever this (maybe) new bug is, it's blowing up these boxes left and right...can't figure it out. They're all relatively new 1.3'ish versions I think. Anyone else seeing anything weird? ----------------------------------------| Ralph M. Los Sr. Security Consultant and Trainer EnterEdge Technology, L.L.C. rlosat_private (770) 955-9899 x.206 ----------------------------------------| ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 16:34:04 PST