Re: MIME type of readme.eml (was Re: Web site infected by Nimda

[Rob Quinn <rquinn () sec sprint net>]

> > Interestingly, the content type from www.wininternals.com (aka 207.30.43.69,
> > aka underconstruction.infoback.net) is application/octet-stream.  The
> > content type on www.digimind.fr is correct at "message/rfc822."

 If you have a Raptor firewall, you can disable web browsing based on MIME
types, which _might_ stop users with vulnerable IEs from downloading the worm.
Create an "httpmime" file in your sg/ directory containing each type to block.

 I took the 409 IP addresses that hit me from the Internet today with cmd.exe
and ran this against them (where $name is the IP):

        wget -O /dev/null --spider -t1 -T5 http://$name/readme.eml

 I've only probed about 200 of them so far, and many of the IPs refused the
connections or timed out. The ones that did serve me the worm reported these
MIME types:

     %egrep '^Length' wget.out | sort | uniq -c
        1 Length: 57,891 [application/octet-stream]
       14 Length: 79,225 [application/octet-stream]
       76 Length: 79,225 [message/rfc822]


 The odd host with the 5789 1byte readme.eml was 206.65.244.24 in case someone
wants to investigate a possible variant.

 ps - how do I adjust wget's connection timeout? The only timeout values seem
to be read (download) times.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com