FTP Nimba Sigs (Was: [Snort-sigs] WEB-IIS File permission canonicalization)
marcus at ...64...
Tue Sep 18 20:37:06 EDT 2001
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Nimba Upload scan";
flags: A+; content:"PASS guest at ...115..."; rev:1;)
The above is the sig. of the Nimba worm FTP login signature. Cross
posting to bugtraq info below:
Also one part that your not covering of Nimba's virus code that I've seen
attack our FTP servers follows below. It resides on the FTP server if
sucessfully creates, I imagine it uploads after it does a MKDIR to see if
the directory is writable then uploads to that directory 'readme.exe'.
More information about the Snort-sigs