Security Incidents mailing list archives
Re: NIMDA - ceased ? -
From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Fri, 27 Dec 2002 13:36:51 -0500
Neil Dickey wrote Friday, December 27, 2002 12:25 PM
Tomo <tomo () c-wind com> wrote asking:Is NIMDA ...(GET /scripts/..%252f../winnt/system32 ...something) ceased ? 04:54, Dec. 23 UTC is the last access of them, around here.No, not around here anyway. My latest hit was this morning, the 27th. I will say that traffic levels for this one are somewhat reduced from what they have been, and days may pass without any hits. My guess is that what we're seeing now isn't entirely the worm operating, but that the worm's exploit has been incorporated into various scripts.
I believe that Nimda and Code Red are usually dormant at the end of every month anyway. They'll be back in a few days. But I agree that many Nimda-like probes are probably script kiddies. If you are talking about just the one particular hit that Tomo listed, most of my query sources have been script kiddies rather than Nimda. - Jim ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- NIMDA - ceased ? - Tomo (Dec 27)
- Re: NIMDA - ceased ? - Johannes Ullrich (Dec 27)
- Re: NIMDA - ceased ? - Jay D. Dyson (Dec 27)
- Re: NIMDA - ceased ? - Skip Carter (Dec 27)
- <Possible follow-ups>
- Re: NIMDA - ceased ? - Neil Dickey (Dec 27)
- Re: NIMDA - ceased ? - James C. Slora Jr. (Dec 27)
- Re: NIMDA - ceased ? - Roger Thompson (Dec 30)