[Dshield] Okay, I'm stumped.

van Niekerk Niel nielvanniekerk at oldmutual.com
Thu May 9 09:51:26 GMT 2002

Preston Simpson Wrote:
>Paul Marsh wrote:
>> Looks like Nimda to me..
>	I would agree with you, except that I've seen plenty of Nimda
>in the same logs and this doesn't look like any of them.


I agree with you, this is defintely not a normal Nimda attempt...
It tries a number of directory traversals just like nimda, but it uses HEAD
requests instead of GETs, this should actually be slightly quicker to verify
vulnerability, it also tries more combinations of encoding the traversals
and starts at various different known starting points for the traversals. It
looks like an attempt to gather details of vulnerable systems, rather than
an attempt to exploit them immediately...
Then there is also the little ida/idq buffer overflow ala CodeRed thrown in
at the end.

You should be extremely worried about those "200" responses your server
gives, this indicates success and that your server is vulnerable to those
specific variants of the traversal... If there isn't some other reason you
can explain for the 200's take that machine down, rebuild it (1st prize) or
give it a *thourough* check (2nd prize) and secure it before you bring it
back up!

To me it looks like a home grown script/program to check for the Nimda/Code
Red vulnerabilities, because:
a) The speed at which the requests came in indicates that they were
automated, thus a script/program
b) There is needless repetition of the same exploit (not in any discernable
pattern either), this smacks of a "cut and paste" job to me. It looks to me
like some of the exploits are mangled and will NEVER work (I might be wrong
here though), pointing to the same thing.

The motives of these scans could be numerous...

Anyone else with ideas / seen this before???

Hope this helps



The contents of this message and any attachments are 
intended solely for the addressee's use and may be legally 
privileged and/or confidential. If you are not the 
addressee indicated in this message, any retention,
distribution, copying or use of this message is strictly
prohibited. If you received this message in error, kindly
notify the sender immediately by reply e-mail and then
destroy the message and any copies thereof.

Opinions, conclusions and other information in this 
message must be understood as neither given nor 
endorsed by Old Mutual Banking Services and may be 
personal to the sender. Since e-mail communication
cannot be guaranteed to be secure, Old Mutual Banking
Services does not make any representation or give any 
guarantee concerning the confidentiality, security,
accuracy or completeness of any e-mail. Any liability for
viruses is excluded to the fullest extent permitted by law.


More information about the list mailing list