RE: Nimda in action deplorable stuff this...

["Jay and Lynn Withrow" <jandlynn () hotmail com>]

I am now redirecting all Code Red request back to themselves, so maybe it 
will get lost in a circular referance, as I am redirecting it back to itself 
exactly as the request was sent.

I plan on doing the same for the nimda worm as soon as I figure out how to 
map +dir as a file extension to the asp engine, it doesn't seem to like the 
+ as an extension delimiter, and it keeps appending a .

This way, when a request is made for c+dir, they will actually be requesting 
a file named c with the extension +dir (c+dir).

- Jason


> From: "Franki" <frankieh () vianet net au>
> Reply-To: <frankieh () vianet net au>
> To: "Travis Farmer" <travis5765 () hotmail com>
> CC: <snort-users () lists sourceforge net>
> Subject: RE: [Snort-users] Nimda in action  deplorable stuff this...
> Date: Wed, 19 Sep 2001 23:51:00 +0800
>
> sorry mate, I went there on a windows 2000 box that has IIS running,
> (testing perl scripts)
>
> and when it asked me to download the file, I did, saved it to my desktop,
> and scanned it with innoculate, (didn't find anything) then zipped it so I
> wouldn't accidentally run it, and deleted the original...
>
> I was going to all the sites from my logs to look for email address's to
> warn people about their server when I came accross them... I clicked cancel
> when it asked to download on each one, and had no problems...
>
>
> I thought I would mention,, I have been goin to the pages of the IP's
> showing up in the logs, so as to get some real email address's instead of
> guess...
>
> Most of the pages that came up, were default NT4 or 2000 pages, ie these
> people don't even know they are running a web server...  also, a port scan
> of them show that most of them didn't even have firewalls around them,,, 
> and
> had at least 20 or more ports listening on them...
>
>
> That is deplorable lack of though into security...
>
> just thought I'd mention it.....
>
>
> Does anyone have a small perl/shell script that can use ipchains to block
> any ip that requests cmd.exe, root.exe, admin.dll etc etc???   sometime 
> like
> that would be small and lite and much less impact on the systems then
> snort.... and just as effective in this case....
>
> anyone??
>
>
> rgds
>
> Frank
>
> -----Original Message-----
> From: Travis Farmer [mailto:travis5765 () hotmail com]
> Sent: Wednesday, 19 September 2001 11:40 PM
> To: frankieh () vianet net au
> Subject: Re: [Snort-users] Nimda in action
>
>
> Thought i sent a message but i guesst not.
> Just a note, the file may autoload on some machines.
>
>
> I may have been infected but i'm not sure yet. the report at symantec of
> what this worm does seems to have not taken place on my computer.
> I do have a copy that i transfered from the internet temp to a Linux box 
> for
> safe keeping in case somebody wants a copy for study.
>
> Interestingly, i think the reason i was "protected" was that media player
> was the application chosen by windows to "play" it. as it was an invalid
> media file, it stopped proccess. I still have to confirm as to if i truly 
> am
> safe or not. a few tests here and there. i changed all referances to my 
> SMTP
> server to a bogus ip and started up Zone Alarm so any internet traffic that
> i don't say "yes" to will be haulted.
>
> ~Travis
>
>
> >From: "Franki" <frankieh () vianet net au>
> >Reply-To: <frankieh () vianet net au>
> >To: <snort-users () lists sourceforge net>
> >Subject: [Snort-users] Nimda in action
> >Date: Wed, 19 Sep 2001 19:39:43 +0800
> >MIME-Version: 1.0
> >Received: from [216.136.171.252] by hotmail.com (3.2) with ESMTP id
> >MHotMailBD71D20C006340042A18D888ABFCF0F20; Wed, 19 Sep 2001 04:52:45 
> -0700
> >Received: from localhost ([127.0.0.1] 
> helo=usw-sf-list1.sourceforge.net)by
> >usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id
> >15jfpl-0006BE-00; Wed, 19 Sep 2001 04:48:05 -0700
> >Received: from [202.165.70.4] (helo=freddie.vianet.net.au)by
> >usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id
> >15jfpO-00066y-00for <snort-users () lists sourceforge net>; Wed, 19 Sep 2001
> >04:47:42 -0700
> >Received: from laptop (per2-46.vianet.net.au [202.165.72.174])by
> >freddie.vianet.net.au (8.9.3/8.9.2) with SMTP id TAA08104for
> ><snort-users () lists sourceforge net>; Wed, 19 Sep 2001 19:47:37 +0800
> >From snort-users-admin () lists sourceforge net Wed, 19 Sep 2001 04:53:48
> >-0700
> >Message-ID: <MCEKJDCFAKOIACBMPEICOEIKEEAA.frankieh () vianet net au>
> >X-Priority: 3 (Normal)
> >X-MSMail-Priority: Normal
> >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
> >Importance: Normal
> >In-Reply-To: <a05100300b7ce249dea7f@[193.63.251.24]>
> >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
> >Sender: snort-users-admin () lists sourceforge net
> >Errors-To: snort-users-admin () lists sourceforge net
> >X-BeenThere: snort-users () lists sourceforge net
> >X-Mailman-Version: 2.0.5
> >Precedence: bulk
> >List-Help: 
> <mailto:snort-users-request () lists sourceforge net?subject=help>
> >List-Post: <mailto:snort-users () lists sourceforge net>
> >List-Subscribe:
> ><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-us
> ers-request () lists sourceforge net?subject=subscribe>
> >List-Id: Snort users talk about... Snort!
> ><snort-users.lists.sourceforge.net>
> >List-Unsubscribe:
> ><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-us
> ers-request () lists sourceforge net?subject=unsubscribe>
> >List-Archive: <https://lists.sourceforge.net/archives//snort-users/>
> >X-Original-Date: Wed, 19 Sep 2001 19:39:43 +0800
> >
> >
> >if anyone wants to see nimda in action (and you haven't already.)
> >
> >try going to this site..
> >
> >http://203-236-233-27.rev.nextel.co.kr/
> >
> >whatever you do, don't run the readme.exe file....(assuming you are on
> >windows..)
> >
> >rgds
> >
> >Frank
> >
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users () lists sourceforge net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users