OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chad Smykay (csmykayRACKSPACE.COM)
Date: Tue Sep 18 2001 - 12:54:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Apparently there is a new worm called "nimda". Here is some REALLY general
    info:

    http://www.f-secure.com/v-descs/nimda.shtml

    Other links in regards to this:

    http://www.cert.org/current/current_activity.html#port80

    http://www.cert.org/advisories/CA-2001-11.html

    However I wanted to review what I have found so far. From what I can tell
    there is an "mmc.exe" process or processes that is being run when there is
    NO other users logged in and no such process being spawned.

    Also it appears to be doing NetBIOS scans at the same time it is doing these
    IP range scans. By monitoring a current server that is running this
    exploit. I see about 20-30 "net.exe and "net1.exe" being spawned. Most
    likely they are also trying to do NetBIOS scans either on the current
    network they are on or other IP Ranges.

    The only thing that we can thing to do at this time is to block this traffic
    VIA IDS.

    It also appears that they are attempting to send this new "readme.exe" via
    IIS SMTP Server, but we can not confirm that right now. Anyone?

    Here is a snippet from the log files that if you probably check right now on
    your server you will see:

    <-- Begin Logfile snip
    [Tue Sep 18 08:13:17 2001] [error] [client 195.124.124.237] File does not
    exist: /usr/local/etc/httpd/sites/default.ida
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/root.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/MSADC/root.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/c/winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/d/winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..%5c../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist:
    /usr/local/etc/httpd/sites/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/c
    md.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist:
    /usr/local/etc/httpd/sites/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/c
    md.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist:
    /usr/local/etc/httpd/sites/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../
    winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..Á../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..À¯../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..Áœ../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..%5c../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..%2f../winnt/system32/cmd.exe
    <-- End logfile snip

    Please note that the above is from a Linux Web server but you will see the
    same across the board.

    Here is another snip for a Windows NT server logfile

    <-- Begin log snip
    4:48:02 209.61.190.233 GET /scripts/root.exe 403
    14:48:02 209.61.190.233 GET /MSADC/root.exe 200
    14:48:31 209.61.187.113 GET /scripts/root.exe 403
    14:48:31 209.61.187.113 GET /MSADC/root.exe 200
    14:48:31 209.61.187.113 GET /MSADC/root.exe 502
    14:48:31 209.61.187.113 GET /MSADC/Admin.dll 500
    14:48:31 209.61.187.113 GET /c/winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET /d/winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET
    /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET
    /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET
    /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET /scripts/..Á../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/../../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..\../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..S5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..S5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..%2f../winnt/system32/cmd.exe 403
    <-- End log snip

    If you have ANY addtional info please share with everyone.

    Kind Regards,

    Chad Smykay
    Rackspace Managed Hosting

    ______________________________________
    Chad Smykay
    Sys Admin Complex Division
    Rackspace Managed Hosting
    800-961-4454 ext. 1249.
    ______________________________________

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net