Based on each analysis I've seen on the Nimda worm, this is not the Nimda worm. The Nimda worm targets ip addresses semi-randomly, different subnet masks get different probabilities. This looks like an incremental scan. Also, it's only a single Unicode request. It doesn't include the other tidbits which Nimda does, like checking for code red leftovers (root.exe), /c or /d. Keith -----Original Message----- From: Dean White [mailto:deanat_private] Sent: Thursday, August 22, 2002 1:09 AM To: Larsen, Colin Cc: incidentsat_private Subject: Re: Unicode worm? This is most likely the Nimda worm. The vulnerability the worm is attemting to exploit is called the Unicode Web transversal exploit. The worm is issuing a command to retrieve the directory listing of the C: drive. It does this to determine if it can successfully execute the cmd.exe shell with privledge. This worm copies itself to the server as admin.dll via TFTP. The source of the attack has a listening TFTP server to transmit the worm to the new system. Hope this clears this up. Cheers, Dean ---------------------------------------------------------------------------- ---- Dean White deanat_private Technical Director http://www.achillean.com.au Achillean Pty. Ltd. "The integrity of your business is our business" ---------------------------------------------------------------------------- ---- On Thu, Aug 22, 2002 at 02:26:50PM +1000, Larsen, Colin wrote: > I get this every day. Usually in batches of 8 to 16 probes. Mostly from > China, Korea (even 2 nights of a couple of hundred probes from an Asian IT > university!)I figure its a fact of life that anything attached to the big > wide world is gonna get shot at. > > Colin. > > -----Original Message----- > From: John Sage [mailto:jsageat_private] > Sent: Thursday, 22 August 2002 4:01 p.m. > To: incidentsat_private > Subject: Re: Unicode worm? > > > Soeren, Keith: > > On Wed, Aug 21, 2002 at 07:43:00PM +0200, Soeren Ziehe wrote: > > In article <51F912F2A6CDD111810A00600811BA42024D8BE9@TEA05> [21 Aug 02] > > Turner, Keith (Contractor) <TurnerL@tea-emh1.army.mil> wrote: > > > > > [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was > > > not complete after one pass. Request will be rejected. Site > > > Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.e > > > xe' > > > > I'm seeing the same requests. > > I've recently seen several single-payload packet probes of the form: > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 08/11-02:27:44.357277 216.181.16.2:4723 -> 12.82.129.71:80 > TCP TTL:110 TOS:0x0 ID:26376 IpLen:20 DgmLen:99 DF > ***AP*** Seq: 0x36AEB784 Ack: 0x71FD0774 Win: 0x2238 TcpLen: 20 > 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% > 35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 5c%5c../winnt/sy > 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ > 63 2B 64 69 72 0D 0A 69 72 0D 0A c+dir..ir.. > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > These have source IP's _not_ within my class B, or A; very quick, > typically six to nine packets for the total transaction, and they're gone. > > > - John > -- > "You are in a little maze of twisty passages, all different." > > PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html > Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 10:14:07 PDT