On Tue, Jun 11, 2002 at 02:32:43PM -0700, Michael Katz wrote: > > This is definitely not Nimda, although it attempts to exploit the same > directory traversal vulnerability in IIS as Nimda > (http://www.microsoft.com/technet/security/bulletin/ms00-078.asp). In > fact, if these are the timestamps and there are no other logs, it appears > that this attack is being manually performed. > > What makes you think that this is a variant of Nimda? Brings to mind the ever-present danger of too many alerts making us numb to further alerts. I don't pay any attention to this stuff since I don't run any Windoze boxes, but if I did I might be ignoring the Nimda-looking stuff and miss something I'd like to know about. Heck, if I were this attacker I'd replay some nimda logs against my target before running my custom attack. The chances of them noticing the few new attack signatures are slimmer this way. This risk is nothing new, but easy to forget how effective it is. I tend to forget at least :( Makes me want to go back and look at how liberal my ignore regexps are in logcheck. -- "If you torture the data enough, it will confess." - Ronald Coase.
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 17:10:02 PDT