[ale] *OT* But, I need some help.

[Jonathan Rickman]

On Mon, 22 Oct 2001, Frank Zamenski wrote:

>
> If this is not Nimda, how does one tell the difference between code
> red/blue and Nimbda attacks on webserver logs? Not that's it's terribly
> significant to me as I don't do IIS, but I do look at our Solaris iPlanet
> webserver logs on occasion, and have seen some of this stuff on
> occasion in the past.

Code Red scanned for a single vulnerability and left entries in the logs
that contained either a string of XXXXXXX or NNNNNN. That's the most
easily identifiable trait. Look at your logs if you want the complete
entry. I guarantee you have them. Nimda on the other hand, scanned for
multiple vulnerabilities and does not have its own definitive signature,
per se. However, it's pretty obvious by looking at the order of the scans
and the elapsed time between each one.

Note: It is possible to "simulate" a Nimda probe using whisker or other
such tools so it is entirely possible that a human could be actively
probing while using the Nimda "noise" for cover.

The logs posted earlier appear to be Nimda banging on the door...

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.