Security Incidents mailing list archives

Re: Wave of Nimda-like hits this morning?

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Tue, 26 Feb 2002 12:28:32 -0800 (PST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 26 Feb 2002, Ralph Los wrote:

I've had multiple clients' Solaris boxes crashing this morning from what
appears to be a Nimda-like 'scripts/..%5c../root.exe', and the usual. 
The same old unicode characters are present [%2f, %5c] but a new one has
appeared I haven't seen yet.  This line: 

      '
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe '


        I had a few of those today as well.  Early Bird[1] classified them
as Nimda attacks and fired off its cursory notice to the offending IPs.  I
didn't give it any more thought, and my Solaris boxen certainly haven't
croaked over this fresh batch of scans.

        I'm puzzled as to why your Solaris boxen are falling over from
these scans.  These requests really shouldn't do much more than generate a
404 on a Solaris system running Apache unless you've got something really 
funky set up.

Whatever this (maybe) new bug is, it's blowing up these boxes left and
right...can't figure it out.  They're all relatively new 1.3'ish
versions I think.


        I've heard rumblings of an Apache/PHP exploit making the rounds.
Any of these machines using PHP by chance?

- -Jay

1.      http://www.treachery.net/earlybird/

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `The armed are citizens.  The unarmed are subjects.'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SunOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iEYEARECAAYFAjx77/QACgkQGI2IHblM+8GD+gCgh/QYXrEYJ7V5+ENUqCehbl8T
9WYAoJnsiwjY78WHG2IAeW6jVf4HL88/
=CxPC
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Wave of Nimda-like hits this morning? Ralph Los (Feb 26)
- Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 26)
  - PHP exploit (Was Re: Wave of Nimda-like hits this morning?) Chris Adams (Feb 27)
- RE: Wave of Nimda-like hits this morning? Brian Mooney (Feb 26)
  - Re: Wave of Nimda-like hits this morning? John Brahy (Feb 26)
    - Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 27)
    - Re: Wave of Nimda-like hits this morning? Benjamin Morin (Feb 28)
  - RE: Wave of Nimda-like hits this morning? Christopher L. Morrow (Feb 27)
- Re: Wave of Nimda-like hits this morning? security (Feb 26)
- Re: Wave of Nimda-like hits this morning? Erick Brockway (Feb 27)
- <Possible follow-ups>
- Wave of Nimda-like hits this morning? Michael Sutton (Feb 26)
- RE: Wave of Nimda-like hits this morning? Ronneil Camara (Feb 26)

(Thread continues...)