Security Incidents mailing list archives
Re: nimda tries to send mail after reboot
From: "Michael H. Warfield" <mhw () wittsend com>
Date: Wed, 19 Sep 2001 17:22:00 -0400
On Wed, Sep 19, 2001 at 11:13:30AM -0600, Brett Glass wrote:
Messages bearing the worm are starting to trickle in, slowly. It may be that the worm is designed to start e-mailing only after the infection is a certain number of hours old.
Sadly, the copies of the worm we're receiving are coming from companies whose employees we'd expect to know better than to leave machines unprotected -- such as V-One and SCO.
Make sure you know who you are throwing stones at. The worm
is spoofing the From addresses. I just got done researching a pile
of them because people reported one of our majordomo servers was sending
out the worm. Considering that it was a Linux box, that would have been
a good trick. Header analysis indicated one particular IP address we
had never heard of was sending out all the copies of the worm with
our majordomo server as the From address. I got five copies of the
worm from five different sources and all of them tracked back to
one IP address and none of them had any headers indicating that the
message had been anywhere near our site. Sigh... Maybe it was
someone who had recently subscribed to one of our mailing lists or
something, but I can't find where we've ever even been in contact with
any address within that /16...
I agree that it will be a very long week. None of our machines is susceptible to the worm, but our backbone feed is getting hammered. I wish we had a firewall under our control at our upstream provider.
--Brett Glass
At 11:08 AM 9/19/2001, jforster () rapidnet com wrote:
I got a few copies of this worm (via e-mail) this afternoon. Sadly, someone else in the office did as well (or hit an infected site). It's going to be a long week....
I know of several people who have been burned by browsing a
contaminated web site. Then the damn thing drops it's turds all
over every directory and on all the network shares it can reach and
on and on...
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- nimda tries to send mail after reboot John Q. Public (Sep 18)
- Re: nimda tries to send mail after reboot John Q. Public (Sep 18)
- Re: nimda tries to send mail after reboot Paul Seaman (Sep 18)
- Message not available
- Re: nimda tries to send mail after reboot Brett Glass (Sep 18)
- Re: nimda tries to send mail after reboot John Q. Public (Sep 18)
- RE: nimda tries to send mail after reboot Don Weber (Sep 18)
- RE: nimda tries to send mail after reboot Jim Forster (Sep 18)
- Re: nimda tries to send mail after reboot Brett Glass (Sep 18)
- Re: nimda tries to send mail after reboot John Q. Public (Sep 18)
- <Possible follow-ups>
- Re: nimda tries to send mail after reboot Brett Glass (Sep 19)
- RE: nimda tries to send mail after reboot Lists (Sep 19)
- Re: nimda tries to send mail after reboot Michael H. Warfield (Sep 19)
- RE: nimda tries to send mail after reboot Andrew Mulholland (Sep 19)