[Snort-sigs] nimda.nws

HenkP at ...747... HenkP at ...747...
Tue Aug 13 23:56:01 EDT 2002

thanks for all the advice,
I have definitely scanned and used all the latest virus removal tools
(nimda.a and nimda.e)

I cant remember rebooting the servers, but to be on the safe side I will
scan with NAV again (and also use the virus removal tools), remove any
unused services and then reboot the servers to make sure.


Henk Pretorius

                    "Ian Macdonald"                                                                
                    <secsnortsigs at ...754...       To:     <HenkP at ...747...>                       
                    mon.co.uk>                  cc:                                                
                                                Subject:     Re: [Snort-sigs] nimda.nws            
                    2002/08/13 06:55 PM                                                            

If you can do some logging (tcp dump or alerts and send then we might be
able to help identify it. My guess is that you still have an infected
machine or a machine that has become reinfected. I would look at the alerts
being generated and find the source address then investigate that machine.
Find out if it has the latest service pack on it, make sure you have all
current security hot fixes installed. You will find it will be running IIS
check to see if IIS can be switched off.
I personally would not trust a virus killer to get rid of nimba
One thing that just occurred to me, After cleaning the machines did you
reboot them? If I remember correctly the IIS service is high jacked by
and in order to get rid of it you have to restart the service and reboot.

----- Original Message -----
From: <HenkP at ...747...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Tuesday, August 13, 2002 9:21 AM
Subject: [Snort-sigs] nimda.nws

> Hi all,
> snort is picking up nimda signatures all over our network.
> These sigantures are from many different machines, all these machines
> been cleaned by NAV corporate ed. from NIMDA (and also have the latest
> definitions on them) and the virus cannot be found on any machine
> in the network.
> Snort is reporting all of the following signature descriptions.
> web-cgi scripalias access
> web iis isapi .ida access
> web iis access
> web misc icq webfront HTTP dos attack
> web iis .cnf access
> web traversal
> web misc ?open access
> netbios nimda.nws
> web misc domino names access
> to name a few
> I dont think that this can be false positives since these signatures are
> triggered CONSTANTLY and from various systems on the network, indicating
> that it is not one machine causing a false positive...
> Could it be a new version of nimda that norton does not pick up on ?
> Please assist with advice.
> Regards
> Henk Pretorius
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list