Security Incidents mailing list archives
Re: MIME type of readme.eml (was Re: Web site infected by Nimda
From: Rob Quinn <rquinn () sec sprint net>
Date: Thu, 20 Sep 2001 13:22:01 -0400
Interestingly, the content type from www.wininternals.com (aka 207.30.43.69, aka underconstruction.infoback.net) is application/octet-stream. The content type on www.digimind.fr is correct at "message/rfc822."
If you have a Raptor firewall, you can disable web browsing based on MIME types, which _might_ stop users with vulnerable IEs from downloading the worm. Create an "httpmime" file in your sg/ directory containing each type to block. I took the 409 IP addresses that hit me from the Internet today with cmd.exe and ran this against them (where $name is the IP): wget -O /dev/null --spider -t1 -T5 http://$name/readme.eml I've only probed about 200 of them so far, and many of the IPs refused the connections or timed out. The ones that did serve me the worm reported these MIME types: %egrep '^Length' wget.out | sort | uniq -c 1 Length: 57,891 [application/octet-stream] 14 Length: 79,225 [application/octet-stream] 76 Length: 79,225 [message/rfc822] The odd host with the 5789 1byte readme.eml was 206.65.244.24 in case someone wants to investigate a possible variant. ps - how do I adjust wget's connection timeout? The only timeout values seem to be read (download) times. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Nimda - collected information Berislav Kucan (Sep 19)
- Web site infected by Nimda acz [iSecureLabs] (Sep 19)
- RE: Web site infected by Nimda Jac Engel (Sep 19)
- RE: Web site infected by Nimda Ken Pfeil (Sep 19)
- RE: Web site infected by Nimda John Q. Public (Sep 19)
- Re: MIME type of readme.eml (was Re: Web site infected by Nimda Rob Quinn (Sep 19)
- Re: MIME type of readme.eml (was Re: Web site infected by Nimda Nick FitzGerald (Sep 19)
- Re: MIME type of readme.eml (was Re: Web site infected by Nimda Rob Quinn (Sep 20)
- RE: Web site infected by Nimda Jac Engel (Sep 19)
- Web site infected by Nimda acz [iSecureLabs] (Sep 19)