FTP Nimba Sigs (Was: [Snort-sigs] WEB-IIS File permission canonicalization)

Mark Canter marcus at ...64...
Tue Sep 18 20:37:06 EDT 2001

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Nimba Upload scan";
flags: A+; content:"PASS guest at ...115..."; rev:1;)

The above is the sig. of the Nimba worm FTP login signature.  Cross
posting to bugtraq info below:



Also one part that your not covering of Nimba's virus code that I've seen
attack our FTP servers follows below.  It resides on the FTP server if
sucessfully creates, I imagine it uploads after it does a MKDIR to see if
the directory is writable then uploads to that directory 'readme.exe'.

More information about the Snort-sigs mailing list