Snort mailing list archives
RE: Nimda in action deplorable stuff this...
From: "Jay and Lynn Withrow" <jandlynn () hotmail com>
Date: Wed, 19 Sep 2001 12:29:33 -0400
I am now redirecting all Code Red request back to themselves, so maybe it will get lost in a circular referance, as I am redirecting it back to itself exactly as the request was sent.
I plan on doing the same for the nimda worm as soon as I figure out how to map +dir as a file extension to the asp engine, it doesn't seem to like the + as an extension delimiter, and it keeps appending a .
This way, when a request is made for c+dir, they will actually be requesting a file named c with the extension +dir (c+dir).
- Jason
From: "Franki" <frankieh () vianet net au> Reply-To: <frankieh () vianet net au> To: "Travis Farmer" <travis5765 () hotmail com> CC: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Nimda in action deplorable stuff this... Date: Wed, 19 Sep 2001 23:51:00 +0800 sorry mate, I went there on a windows 2000 box that has IIS running, (testing perl scripts) and when it asked me to download the file, I did, saved it to my desktop, and scanned it with innoculate, (didn't find anything) then zipped it so I wouldn't accidentally run it, and deleted the original... I was going to all the sites from my logs to look for email address's to warn people about their server when I came accross them... I clicked cancel when it asked to download on each one, and had no problems... I thought I would mention,, I have been goin to the pages of the IP's showing up in the logs, so as to get some real email address's instead of guess... Most of the pages that came up, were default NT4 or 2000 pages, ie these people don't even know they are running a web server... also, a port scanof them show that most of them didn't even have firewalls around them,,, andhad at least 20 or more ports listening on them... That is deplorable lack of though into security... just thought I'd mention it..... Does anyone have a small perl/shell script that can use ipchains to blockany ip that requests cmd.exe, root.exe, admin.dll etc etc??? sometime likethat would be small and lite and much less impact on the systems then snort.... and just as effective in this case.... anyone?? rgds Frank -----Original Message----- From: Travis Farmer [mailto:travis5765 () hotmail com] Sent: Wednesday, 19 September 2001 11:40 PM To: frankieh () vianet net au Subject: Re: [Snort-users] Nimda in action Thought i sent a message but i guesst not. Just a note, the file may autoload on some machines. I may have been infected but i'm not sure yet. the report at symantec of what this worm does seems to have not taken place on my computer.I do have a copy that i transfered from the internet temp to a Linux box forsafe keeping in case somebody wants a copy for study. Interestingly, i think the reason i was "protected" was that media player was the application chosen by windows to "play" it. as it was an invalidmedia file, it stopped proccess. I still have to confirm as to if i truly am safe or not. a few tests here and there. i changed all referances to my SMTPserver to a bogus ip and started up Zone Alarm so any internet traffic that i don't say "yes" to will be haulted. ~Travis >From: "Franki" <frankieh () vianet net au> >Reply-To: <frankieh () vianet net au> >To: <snort-users () lists sourceforge net> >Subject: [Snort-users] Nimda in action >Date: Wed, 19 Sep 2001 19:39:43 +0800 >MIME-Version: 1.0 >Received: from [216.136.171.252] by hotmail.com (3.2) with ESMTP id>MHotMailBD71D20C006340042A18D888ABFCF0F20; Wed, 19 Sep 2001 04:52:45 -0700 >Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net)by>usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id >15jfpl-0006BE-00; Wed, 19 Sep 2001 04:48:05 -0700 >Received: from [202.165.70.4] (helo=freddie.vianet.net.au)by >usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id >15jfpO-00066y-00for <snort-users () lists sourceforge net>; Wed, 19 Sep 2001 >04:47:42 -0700 >Received: from laptop (per2-46.vianet.net.au [202.165.72.174])by >freddie.vianet.net.au (8.9.3/8.9.2) with SMTP id TAA08104for ><snort-users () lists sourceforge net>; Wed, 19 Sep 2001 19:47:37 +0800 >From snort-users-admin () lists sourceforge net Wed, 19 Sep 2001 04:53:48 >-0700 >Message-ID: <MCEKJDCFAKOIACBMPEICOEIKEEAA.frankieh () vianet net au> >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) >Importance: Normal >In-Reply-To: <a05100300b7ce249dea7f@[193.63.251.24]> >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 >Sender: snort-users-admin () lists sourceforge net >Errors-To: snort-users-admin () lists sourceforge net >X-BeenThere: snort-users () lists sourceforge net >X-Mailman-Version: 2.0.5 >Precedence: bulk>List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>>List-Post: <mailto:snort-users () lists sourceforge net> >List-Subscribe: ><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-us ers-request () lists sourceforge net?subject=subscribe> >List-Id: Snort users talk about... Snort! ><snort-users.lists.sourceforge.net> >List-Unsubscribe: ><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-us ers-request () lists sourceforge net?subject=unsubscribe> >List-Archive: <https://lists.sourceforge.net/archives//snort-users/> >X-Original-Date: Wed, 19 Sep 2001 19:39:43 +0800 > > >if anyone wants to see nimda in action (and you haven't already.) > >try going to this site.. > >http://203-236-233-27.rev.nextel.co.kr/ > >whatever you do, don't run the readme.exe file....(assuming you are on >windows..) > >rgds > >Frank > > >_______________________________________________ >Snort-users mailing list >Snort-users () lists sourceforge net >Go to this URL to change user options or unsubscribe: >https://lists.sourceforge.net/lists/listinfo/snort-users >Snort-users list archive: >http://www.geocrawler.com/redir-sf.php3?list=snort-users _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Nimda in action deplorable stuff this... Jay and Lynn Withrow (Sep 19)