|
;) Nimda: The worm that won't go
away
Despite the fact that
most major media sources are covering the latest Internet security
topics, the Nimda worm is still newsworthy. That's because there are
a large number of systems infected with Nimda that are continuing to
spread the worm that first made headlines last September. (I do,
however, believe that the number of infected systems is a small
percentage of the initial attack.) What's alarming about this is
that systems infected with Nimda are essentially wide open to other
attacks, since it's trivial to run remote commands on infected
systems.
Proof that the worm lives on
I know that Nimda is still out there
because the Apache Web server logs on a number of the UNIX systems I
maintain show evidence of Nimda. Here's an example of a
Nimda-related log entry. (Note that the IP address has been changed
to protect the guilty system.)
[Mon Jan 14 01:29:59 2002] [error]
[client 192.168.1.5]
File does not exist:
/
webdocs/scripts/..%5c../winnt/system32/cmd.exe
Although tracking down a responsible
party and telling them to fix their Nimda problem takes time, it can
often be done with very little effort. Usually when I report a
server is infected with Nimda, the company is grateful someone took
the time to report the problem.
What you can do to stop the worm from
spreading
If you find evidence of a Nimda-infected
system scanning one of your systems, I encourage you to take a few
minutes and try to help. You might be able to find the e-mail
address or phone number for someone to report the Nimda scan to by
using American Registry for Internet Numbers' (ARIN's) Whois program, where you can
enter the IP address of the infected system, and click Submit.
ARIN maintains a fairly accurate database
of networks and who controls them for the North America, South
America, Caribbean countries, and even parts of Africa. If you don't
find the exact network, the closest match to it will be found.
(There are other Whois servers for other areas of the world that
have similar ways to look up networks to find a network contact
person or e-mail.)
However, using ARIN's database isn't the
only way to find a company's contact to let them know they have
Nimda. Since Nimda lives on Windows IIS Web servers, you can
sometimes use "nslookup" to find the name of the Webserver.
(Note: I don't recommend this unless you have all the
scripting disabled in your Web browser, which for most people is
Internet Explorer. I always disable Active Scripting in IE unless
it's required for a particular Web site, and then I add it to my
Trusted Sites list.)
Other recent personal experiences with Nimda
In the incident that prompted me to write
this article, I went against my normal rule of just sending an
e-mail message and called the company after finding their contact
information at ARIN. I told the switchboard that I was reporting a
network intrusion from their network and asked to speak to someone
in their IT department. I wasn't able to talk to anyone in IT, but I
did leave a message stating that the IP address of the system was
attempting to spread Nimda to a system where I work. The key to
reporting a problem like this is to be direct, brief, and
informative without getting angry or derogatory.
Another example of how I know Nimda is
still lurking around is a recent incident at my job involving a
fresh install of a Windows 2000 system. Impossible as it might
sound, Nimda infected the system less than 15 minutes after it was
installed--just after the first reboot and before service packs
could be applied. The infected machine was quickly found and its
network access was unplugged, but it left many people scratching
their heads as to how Nimda could have infected the system so fast.
Conclusion
Nimda just doesn't seem to want to go
away, so make sure that you take the appropriate measures to make
sure it doesn't rear it's ugly head on your network. If you do find
evidence of a Nimda intrusion on your Web server's log files, you
can help by taking a few minutes to e-mail the network contact and
letting them know there's a problem.
To comment on this TechMail, write to Jonathan
Yarden.
Jonathan Yarden is the senior UNIX
system administrator, network security manager, and senior software
architect for a regional ISP.
The
top five NetAdmin articles say a lot about 2001
>From
Nimda to Windows 2000 adoptions, the year 2001 was filled with
events that had important implications for IT. The five most popular
articles in NetAdmin Republic reflected these concerns. Take a look
at which articles came out on top.
Making
the case for improved security
You already know security
is important. Here are compelling statistics to illustrate just how
important it is. Use this information to help you develop a powerful
argument when you try to win approval for a new security initiative.
| 