Slashdot Mirror

← Back to Stories (view on slashdot.org)

1 Year Anniversary of Nimda Outbreak

Posted by CmdrTaco on from the my-logs-hurt dept.

dots and loops writes "Today marks one year to the date that the nimda worm began making its way across the Internet." Hey, speaking of hilarious worms, I'm still getting 5-10 klez virus's a day! Yay Security!

7 of 289 comments (clear)

  1. Still kicking by JediTrainer · · Score: 5, Informative

    If anybody is interested, I've developed WormScan last year, which is a Java-based program (GPL) which can analyze your Apache log files for pretty much anything you want (just plug in your regular expressions). It detects Nimda and CR1+2 out of the box. It's easy to add your own entries to scan for.

    According to my logs (please be gentle), I've been hit 650 times yesterday.

    Shameless plug, yes. But it does the job and the users of WormScan seem to be pretty happy with it, judging from the emails I've gotten so far.

    --

    You can accomplish anything you set your mind to. The impossible just takes a little longer.
    1. Re:Still kicking by pclminion · · Score: 5, Funny
      If anybody is interested, I've developed WormScan [freshmeat.net] last year, which is a Java-based program (GPL) which can analyze your Apache log files for pretty much anything you want (just plug in your regular expressions).

      I think I've heard of a similar program before. I might have even used it... Hmm, what was that program?

      Oh, yeah! grep

      (sorry man, I'm just pokin' fun)

  2. Slashdot uptime = 1 year by msheppard · · Score: 5, Funny

    And it's probably no coincidence that slashdot stats report 365days uptime today.

    M@

    --
    Krispy Cream is people
  3. NIMDA the sysadmins friend :-s a little anecdote by fruey · · Score: 5, Interesting
    Oh... first of all, it's viruses. Not virus's... what the hell is that?

    I was working on a project to set up a proxy (Squid, in fact) for an education institution here in Morocco. If you think US sysadmins could get some clue, think again. I noted they were running NT workstation service pack 3 (lol) and I was already sweating. I set the proxy up as the gateway, to make it transparent, and started the service. Within 10 minutes the log file had grown massive. I tweaked a few params, and then left it running, saying I'd come back the next day.

    The client calls me first thing, saying my proxy is shit, doesn't work, etc. I turn up in a panic, thinking I'd messed something simple up. Then it dawned on me... seems like most of the hosts on the network were infected with Nimda (amongst other things). The logfile had exceeded 2Gb and had crashed the service (it had filled the /var partition completely). It was logging 100 Nimda scans a second.

    This was just about 3 months ago. The sysadmin didn't even really know how her DHCP server worked, and had no service packs anywhere. The only reason sp3 was some places was because the NT CD had been bought just before Win2K came out, and SP3 was bundled with a sticker "make sure you install this too".

    Explaining to the client that all the hosts were infected, that they seriously needed an antivirus solution, and that all machines would have to be taken offline (they had public IPs for chrissakes) until the disinfection was finished was a tough thing to do without just flaming that person, I assure you. We did get them sorted out in the end, but somehow they still think my proxy isn't worth shit :-(

    --
    Conversion Rate Optimisation French / English consultant
  4. A limerick suiting this topic... by Chagatai · · Score: 5, Funny
    Nimda, Klez, and Red
    Whilst fornicating in bed
    Felt something new
    Saying, "Melissa, is that you?"
    And found Bill Gates naked, instead.

    --
    --Chag
  5. Still getting hit by rossz · · Score: 5, Informative

    No doubt in celebration of the birthday, I got a number of nimda hits this morning.

    mount -t smbfs password= //xx.xx.xx.xx/C$ /mnt/dork
    vi /mnt/dork/boot.ini

    Change the boot delay to some huge number and the boot message to "Run a virus scanner, asshole".

    umount /mnt/dork

    --
    -- Will program for bandwidth
  6. Re:Nimda by Mandi+Walls · · Score: 5, Interesting
    See F-Secure for the current infection of the slapper worm, 5 days after discovery. Infected servers: < 14,000 total, according to them.

    Now. this report from Sep. 21, 2001 reports 1.3 million infected NIMDA servers.

    Help me out here.

    Where is the comparison? I'm still wading through NIMDA/Code Red requests on my webservers, looking for any sign that those servers have been poked by slapper infected servers. No dice so far.

    Slapper is generating panic because it's got a peer to peer network on the backend, not because it's actually been able to infect a lot of servers. can you imagine what would happen if someone wanted to start a p2p network on the NIMDA/Code Red infected servers that are still online now? to say NOTHING of the 1.3 million and up that were infected originally.

    slapper is a silly excuse for some "Open Source Sucks" journalism, not a reason to head for the hills and unplug the router.

    So here you go:
    [chastise]
    Oh, you lazy stupid 14,000 linux/apache admins! patch your servers!
    [/chastise]
    [screaming rant]
    it's been a year! get that "guy who knows computers" who put that shiatty NT server on the net for you to get back in your office and put some patches on it! give him a beer for pete's sake!
    [/screaming rant]

    Thank you.
    --mandi