"Jeremy Junginger" <jjungingerat_private> wrote: > I just wanted to share. ... Why? > ... It appears to be a compromised host. ... Yep... > ... Any thoughts? I think someone has never seen a vulnerability scan from Nimda before. > [url/www.cert.org/advisories/CA-2001-19.html] WEB-IIS CodeRed v2 > root.exe access Note this is trying to tell you that it detected an attempt to find root.exe. It actually has no idea whether that root.exe (if it's there) was actually deposited by "CodeRed v2" or by anything else. Importantly though, it is _not_ trying to tell you something like "CodeRed v2 is responsible for this". The pattern of other gets is very reminiscent of Nimda, but it could be one of several generic IIS vulnerability scans. However, according to several virus scanners, the file you'd expect to d/l from the root of that web server is Nimda.A, so I'd say the odds are good it was Niomda on the machine that scanned you. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 29 2002 - 11:50:12 PDT