1. Sign-up to become a member, and most of the ads you see will disappear. It only takes 30 seconds to sign up, so join the discussion today!
    Dismiss Notice

Is there are new Nimba type virus going around?

Discussion in 'Archived Threads 2001-2004' started by AndyVX, Mar 18, 2002.

  1. AndyVX

    AndyVX Supporting Actor

    Joined:
    Aug 2, 2000
    Messages:
    804
    Likes Received:
    0
    Trophy Points:
    0
    Just wondering, because I've been getting a lot of port scans on one of my two computers lately. (They each have a different IP)

    Also, I have file and printer sharing enabled (I have both computers networked to share files between them) so am I still protected by running Zone Alarm?

    Thanks.
     
  2. Jeff Kleist

    Jeff Kleist Executive Producer

    Joined:
    Dec 4, 1999
    Messages:
    11,267
    Likes Received:
    0
    Trophy Points:
    0
    Yeah, I found a couple that were new on my machine that are now history
     
  3. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    Trophy Points:
    0
    What port are they scanning? If it's 80 it's probably Nimda. I'm on a cable modem and I've been scanned continuously ever since Nimda appeared on 9/18. Sometimes I get peaks, where one day there's an unusually large number of scans, but those peaks are usually just one or two IPs scanning me more than usual, perhaps someone who's infected launching many copies of the virus at once.

    Although companies, with their IT departments, are largely immune to Nimda now due to patching and securing their systems, many home users are still vulnerable or infected, and that's why I still see scans (typically 30-50 per day, though it peaked at over 100 last Saturday) from Nimda infected hosts.

    I coined a new term a few months ago to describe those who are still infected with Nimda: "Numduhs." I get scanned by Numduhs on a daily basis.

    KJP
     
  4. Matt Stryker

    Matt Stryker Screenwriter

    Joined:
    Oct 12, 2000
    Messages:
    1,307
    Likes Received:
    0
    Trophy Points:
    0
    Its still pretty rampant. What are the IPs of the two computers; you can use www.samspade.org to track them down and notify their ISP so they can be disinfected. At very least they can shut the ports down until the guy learns to use a virus program.
     
  5. AndyVX

    AndyVX Supporting Actor

    Joined:
    Aug 2, 2000
    Messages:
    804
    Likes Received:
    0
    Trophy Points:
    0
    I've traced the IP's using a trace program provided on my ISP's website.

    They aren't scanning port 80 though. They are scanning ports ranging from 7000-70000[roughly], they are also all TCP Flag: S. I don't know what that means though.

    **EDIT**

    The person that I'm getting 95% of the scans from is located at Verio, Inc. Never heard of them.

    Even though I've sent a report to the system admin, I still haven't heard anything back from them yet.
     
  6. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    Trophy Points:
    0
     
  7. AndyVX

    AndyVX Supporting Actor

    Joined:
    Aug 2, 2000
    Messages:
    804
    Likes Received:
    0
    Trophy Points:
    0
    Kevin,

    Ok I checked the Zone Alarm log file, and yes each and every scan is attempting to connect to port 80 on my computer.

    I'm just finding this quite annoying. 500+ scans per hour or so. After checking the log, it seems as though these scan are coming from multiple IP's. Also, I just got my ISP to add a second IP address, and it's only happening on this one. Not on my original IP on the other computer in my house.

    Could it be that this IP address belonged to someone else, and because of whatever program they were running port 80 was open?

    Like I asked earlier, even though I have File and Printer sharing enabled, running Zone Alarm is keeping me safe right? I know it keeps me safe from port 80, but what about whatever port File and Printer sharing opens up?

    Thanks for all the help.
     
  8. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    Trophy Points:
    0
    That's a lot of scans! If it's only happening on your new IP, and not the old one, it's probably not Nimda. I bet someone had a web site on that IP before you got it, and people are still trying to access it. Try doing a nslookup on the IP address and see if it translates to a DNS name that might have been a web site at some time.
    Also, do you notice the scans coming in pairs, triplets, or some pattern like this (e.g. each source IP/port scans you twice, three times, or what)? Nimda usually scans twice, Code Red scans three times, and if it's users with web browsers, it could be more than three times each depending on how long they sit and wait for a response.
    You might want to tell Zonealarm to block but not stealth port 80 for a while, then users trying to access your IP will immediately get a reject ICMP packet instead of hanging on retrying a number of times. This might reduce the rate of the scans. You might also want to ask your ISP why this is happening. They might be able to tell you what the IP was used for before you got it, or if the prior user was running a web site.
    File and Print sharing are on ports 137-139 (and 445 on Win2k). Zone Alarm should block these by default, and some cable modem providers block these ports as well. Check your rules to see if "NetBIOS" or the above ports are blocked. Also, go to www.symantec.com, they have a security check tool that will scan your machine and report any vulnerabilities, including open ports.
    Good luck!
    KJP
     

Share This Page