Re: [logs] nimda web server logs

From: wolfgangat_private
Date: Sat Jun 15 2002 - 03:01:02 PDT

Next message: Sweth Chandramouli: "Re: [logs] Generic Log Message Parsing Tool"

Previous message: Hal Snyder: "Re: [logs] Generic Log Message Parsing Tool"
In reply to: Sweth Chandramouli: "Re: [logs] nimda web server logs"
Next in thread: Sweth Chandramouli: "Re: [logs] nimda web server logs"
Next in thread: Lewis E. Wolfgang: "Re: [logs] nimda web server logs"
Reply: Sweth Chandramouli: "Re: [logs] nimda web server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sweth Chandramouli wrote:
> On Fri, Jun 14, 2002 at 12:27:19PM +0200, wolfgangat_private wrote:
>> No requests for *.cif where seen in this case, and no requests for repair/sam
>> either.

> 	In which case, what is it about the requests that makes
> you think they are related to the ones Tina was seeing?  Hmm... I feel
> like this problem needs to be better defined...
> 	In my world, a Nimda scan is one with a fairly constant
> and short time delta between requests to machines on the same network,
> and whose GET request string matches the following pseudo-grammar:

> nimda:               base_dir traversal_string [ desired_file | command ]
> base_dir:            /^(scripts|msadc|_mem_bin|_vti_bin|[cd])$/i
> desired_file:        'Admin.dll'
>                    | 'httpodbc.dll'
> command:             command_interpreter command_string
> command_interpreter: '/winnt/system32/cmd.exe?/c'
>                    | 'root.exe?/c'
> command_string:      tftp_command | local_exec
> local_exec:          'dir'

> 	, where I'm leaving traversal_string and tftp_command
> undefined for now (both because I'm lazy and because I don't think it
> will affect the problem definition significantly), and assuming the
> parser uses forward slashes to separate tokens.
> 	I think Tina's scans aren't Nimda, then, because they have
> a different time signature (relatively long irregular pauses between
> requests, as though someone were thinking about what to do next), and
> because they have either a different desired_file ('winnt/repair/sam')
> or a different local_exec ('dir+c:\\*.cif/s/b').
> 	So, for these other scans that people are reporting: do
> they match my definition of Nimda above, or not?  If not, how
> specifically are they different?

What gave me the idea that the requests I am seeing got something to do
with the requests seen by others was the "galaxy_*"-requests. I agree
that Tina was probably seeing a manual attack disguised as Nimda, where
I am seeing probably an automated scan, even if its not an "original"
Nimda attack. Key differences are apparently:
- First request is always a GET for /galaxy_XXXXX.XXXX
- the nimda-ish requests that follow are actually not GET but HEAD
- there are a few (GET-)requests for /NULL.printer, NULL.ida and NULL.idq
  thrown in as well.
I put a log of the scan against one of my servers up at
http://www.jpaves.com/nimdalog.txt if anyone wants to see for himself.

Wolfgang

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Sweth Chandramouli: "Re: [logs] Generic Log Message Parsing Tool"
Previous message: Hal Snyder: "Re: [logs] Generic Log Message Parsing Tool"
In reply to: Sweth Chandramouli: "Re: [logs] nimda web server logs"
Next in thread: Sweth Chandramouli: "Re: [logs] nimda web server logs"
Next in thread: Lewis E. Wolfgang: "Re: [logs] nimda web server logs"
Reply: Sweth Chandramouli: "Re: [logs] nimda web server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 15 2002 - 12:27:32 PDT