The real issue here has been loss of bandwidth. At around 2pm I was getting
popped by well over 600 infection attempts per minute from about 430
servers. That was before the attacks peaked. I built a log parser that
dumped this stuff into a db, but had to shut it and the error log off as the
log file got too big.
Fortunately the frequency seems to be declining, but I'm not holding my
breath.
Not one, single request for default.ida today. All those infected servers
switched over to this... at exactly the same time. Ugly.
-----------------------------------------
Matt Robertson [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
-----------------------------------------
----- Original Message -----
From: "John Tolmachoff" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 5:16 PM
Subject: RE: [IMail Forum] New widespread virus: W32/Nimda-A; arrives wit h
readme.exe attachment
This is of concern primarly to IIS 4 & 5. Windows 2000 SP2 covers the
patch.
John Tolmachoff, Network Engineer
211 E. Imperial Hwy., Suite 106
Fullerton, CA 92835
714-578-7999, ext. 104
[EMAIL PROTECTED]
www.reliancesoft.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Bryson, Laura
Sent: Tuesday, September 18, 2001 1:42 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [IMail Forum] New widespread virus: W32/Nimda-A; arrives
wit h readme.exe attachment
>From Symantec's web site
(http:[EMAIL PROTECTED])
"W32.Nimda.A@mm is a new mass-mailing worm that utilizes multiple
methods to spread itself. The worm sends itself out by email, searches
for open network shares, and attempts to copy itself to unpatched
Microsoft IIS web servers. The worm does this using the Unicode Web
Traversal exploit. A patch and information regarding this exploit can be
found at
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
Users visiting compromised Web servers will be prompted to download an
.eml (Outlook Express) email file, which contains the worm as an
attachment.
Also, the worm will create an open network share on the infected
computer, allowing access to the system."
/ljb
-----Original Message-----
From: R. Scott Perry [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:39 PM
To: [EMAIL PROTECTED]
Subject: [IMail Forum] New widespread virus: W32/Nimda-A; arrives with
readme.exe attachment
FYI, Sophos has just alerted us to a new virus that is apparently
spreading
very quickly, called W32/Nimda-A. Not much information is available
yet. Apparently, it uses an attachment called "readme.exe".
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
