Security Incidents mailing list archives

Re: NIMDA - ceased ? -

From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Fri, 27 Dec 2002 13:36:51 -0500

Neil Dickey wrote Friday, December 27, 2002 12:25 PM

Tomo <tomo () c-wind com> wrote asking:

Is NIMDA ...(GET /scripts/..%252f../winnt/system32 ...something)
ceased ?
04:54, Dec. 23 UTC is the last access of them, around here.


No, not around here anyway.  My latest hit was this morning, the
27th.  I will say that traffic levels for this one are somewhat
reduced from what they have been, and days may pass without any
hits.

My guess is that what we're seeing now isn't entirely the worm
operating, but that the worm's exploit has been incorporated into
various scripts.


I believe that Nimda and Code Red are usually dormant at the end of every
month anyway. They'll be back in a few days.

But I agree that many Nimda-like probes are probably script kiddies. If you
are talking about just the one particular hit that Tomo listed, most of my
query sources have been script kiddies rather than Nimda.

- Jim




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

NIMDA - ceased ? - Tomo (Dec 27)
- Re: NIMDA - ceased ? - Johannes Ullrich (Dec 27)
- Re: NIMDA - ceased ? - Jay D. Dyson (Dec 27)
- Re: NIMDA - ceased ? - Skip Carter (Dec 27)
- <Possible follow-ups>
- Re: NIMDA - ceased ? - Neil Dickey (Dec 27)
  - Re: NIMDA - ceased ? - James C. Slora Jr. (Dec 27)
- Re: NIMDA - ceased ? - Roger Thompson (Dec 30)