Richard Brain, technical director at anti-hacking specialist ProCheckup, told CW360 that he had been seeing attacks on his own Microsoft Internet Information Server and apache Web servers since 2pm on Tuesday afternoon. "We think it is trying to break through to the file server and tries 16 different attack methods," he said.
So far Brain said he has monitored attacks coming from the UK, US, Germany, Poland and the Czech Republic. The new attack, he added is far worse than Code Red, which struck in July. "We are getting an attack every 30 seconds," said Brain.
The virus has the potential to cause a denial of service attack. Brain said his multi-processor Compaq ProLiant server, which normally runs at 2% utilisation, was running at 26% because of the attack. The reason the servers were slowing down, he explained, was because they had to expend processing power to examine malformed URLs - in a similar way to what happened in the Code Red attack.
Anti-virus vendor Sophos has issued a patch and a warning to users on the virus that it has dubbed Nimda-A. Nimda-A is an e-mail-aware virus that spreads using an attached filename of README.EXE. In the warning Sophos stated, "researchers are continuing to examine the virus and will be posting a more detailed description of the virus on the Sophos Web site once the analysis is complete."
Graham Cluely, senior technical consultant at Sophos said, "We have heard of hundreds of attacks in the last hour." He added: "It may be trying to pump bad packets to the Web servers."
Russ Cooper who heads up NTBugTraq, the independent forum for tracking bugs in Microsoft operating system software, sent out an e-mail alert which warned, "This thing cares not whether you are an ISS box or not; it tries regardless."
He advised users to ensure that their inbound and outbound router rules were configured correctly and ideally, he said, users should lock-down their Net connections to the individual IP addresses of computers on the network that needed access.