Security Incidents mailing list archives

RE: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?

From: Tony Langdon <tlangdon () atctraining com au>
Date: Fri, 21 Dec 2001 09:42:37 +1100

I have logs of an infected host that's not only
doing the "GET .../c+dir"
thing and scanning for Windows shares, but also
scanning for open TCP
ports 20, 21, 23, and 25, *and* UDP 161.


So your web logs are receiving the directory
transversal attempts...is the first entry a query for
'/scripts/root.exe'?


I have seen a massive increase in directory traversal and other IIS exploits
in the last week to 10 days.  Previously, there would only be a handful that
were recorded occasionally in an hour period.  Now, there's 50 or more
attempts an hour.  Has anyone else seen a similar increase in activity?

Also, the attempts in a series are repeated from the same IP address (dozens
in rapid succession ), so whatever is doing the probing is very persistent,
before moving onto the next victim.  There have now been scans from dozens
of very different IPs, again with the same volley of dozens of probes within
a very short period. from each IP.

I haven't seen mich activity on other ports though, except for the
background level of port 111 RPC scans that have been around a while.

---
Outgoing mail has been scanned for viruses
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.310 / Virus Database: 171 - Release Date: 19-Dec-01
 
This correspondence is for the named person’s use only. It may contain
confidential or legally privileged information or both. No confidentiality
or privilege is waived or lost by any mistransmission. If you receive this
correspondence in error, please immediately delete it from your system and
notify the sender. You must not disclose, copy or rely on any part of this
correspondence if you are not the intended recipient.

Any opinions expressed in this message are those of the individual sender.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Newest Nimda variant? Scanning ftp,telnet,smtp,snmp? Glenn Forbes Fleming Larratt (Dec 20)
- Re: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp? H C (Dec 20)
- <Possible follow-ups>
- RE: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp? Tony Langdon (Dec 21)