Snort mailing list archives
RE: Nimda infections..
From: "Franki" <frankieh () vianet net au>
Date: Fri, 21 Sep 2001 00:03:09 +0800
well, I now have a linux/unix shell script that looks for root.exe, cmd.exe, default.ida and Admin.dll in my server error logs... if it finds them, it adds the asking ip to ipchains deny rules... it also writes the list of offending ip's to a file,, and there is now 2900 ip's in that file.. I would love to know an automated way of letting the owners know, but I can't think of any way.... still, between this and the root.exe shutdown php thing, its better then nothing and has speed the server up alittle... anyone have any suggestions???? how can I automate telling sysadmins that their servers are infected via just their ip's?? spose I could reverse dns them, then use get to get their default web pages, then parse it for email address's then send them all emails, but that would send thousands of emails to Microsoft, since the majority of pages I saw were default microsoft iis pages.... so whats to do?? rgds Frank -----Original Message----- From: Tom Rowan [mailto:tom.rowan () securityalchemy net] Sent: Friday, 21 September 2001 1:02 AM To: 'frankieh () vianet net au' Subject: RE: [Snort-users] Nimda infections.. SO. What do we do about it!?
-----Original Message----- From: Franki [mailto:frankieh () vianet net au] Sent: 20 September 2001 07:56 To: snort-users () lists sourceforge net Subject: [Snort-users] Nimda infections.. Hi all, I just thought I'd mention something,, last night I posed a URL to an infected server to show people what it does... The reason I only gave a token warning about it, was because in my case, the file asked to be downloaded and where I wanted to save it. It turns out that it does that because I have every MS updated loaded on it.. if you have a version of IE prior to 6 (or an unpatched earlier version), and you go to a site thats infected by Nimda,, it will autodownload the .eml file and you get infected.. I was unaware of this last night and figured everyone would be asked if they wanted to download the file,,, to which you could cancel... My apologies.. rgds Frank _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Nimda infections.. Franki (Sep 20)
- Re: Nimda infections.. Michael Boman (Sep 20)