Snort mailing list archives
RE: Nimda in action deplorable stuff this...
From: <ktimm () server1 stingrey com>
Date: Wed, 19 Sep 2001 11:44:00 -0500 (CDT)
Check out gaurdian , snort combination On Wed, 19 Sep 2001, Franki wrote:
sorry mate, I went there on a windows 2000 box that has IIS running, (testing perl scripts) and when it asked me to download the file, I did, saved it to my desktop, and scanned it with innoculate, (didn't find anything) then zipped it so I wouldn't accidentally run it, and deleted the original... I was going to all the sites from my logs to look for email address's to warn people about their server when I came accross them... I clicked cancel when it asked to download on each one, and had no problems... I thought I would mention,, I have been goin to the pages of the IP's showing up in the logs, so as to get some real email address's instead of guess... Most of the pages that came up, were default NT4 or 2000 pages, ie these people don't even know they are running a web server... also, a port scan of them show that most of them didn't even have firewalls around them,,, and had at least 20 or more ports listening on them... That is deplorable lack of though into security... just thought I'd mention it..... Does anyone have a small perl/shell script that can use ipchains to block any ip that requests cmd.exe, root.exe, admin.dll etc etc??? sometime like that would be small and lite and much less impact on the systems then snort.... and just as effective in this case.... anyone?? rgds Frank -----Original Message----- From: Travis Farmer [mailto:travis5765 () hotmail com] Sent: Wednesday, 19 September 2001 11:40 PM To: frankieh () vianet net au Subject: Re: [Snort-users] Nimda in action Thought i sent a message but i guesst not. Just a note, the file may autoload on some machines. I may have been infected but i'm not sure yet. the report at symantec of what this worm does seems to have not taken place on my computer. I do have a copy that i transfered from the internet temp to a Linux box for safe keeping in case somebody wants a copy for study. Interestingly, i think the reason i was "protected" was that media player was the application chosen by windows to "play" it. as it was an invalid media file, it stopped proccess. I still have to confirm as to if i truly am safe or not. a few tests here and there. i changed all referances to my SMTP server to a bogus ip and started up Zone Alarm so any internet traffic that i don't say "yes" to will be haulted. ~TravisFrom: "Franki" <frankieh () vianet net au> Reply-To: <frankieh () vianet net au> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Nimda in action Date: Wed, 19 Sep 2001 19:39:43 +0800 MIME-Version: 1.0 Received: from [216.136.171.252] by hotmail.com (3.2) with ESMTP id MHotMailBD71D20C006340042A18D888ABFCF0F20; Wed, 19 Sep 2001 04:52:45 -0700 Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net)by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id 15jfpl-0006BE-00; Wed, 19 Sep 2001 04:48:05 -0700 Received: from [202.165.70.4] (helo=freddie.vianet.net.au)by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id 15jfpO-00066y-00for <snort-users () lists sourceforge net>; Wed, 19 Sep 2001 04:47:42 -0700 Received: from laptop (per2-46.vianet.net.au [202.165.72.174])by freddie.vianet.net.au (8.9.3/8.9.2) with SMTP id TAA08104for <snort-users () lists sourceforge net>; Wed, 19 Sep 2001 19:47:37 +0800 From snort-users-admin () lists sourceforge net Wed, 19 Sep 2001 04:53:48 -0700 Message-ID: <MCEKJDCFAKOIACBMPEICOEIKEEAA.frankieh () vianet net au> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <a05100300b7ce249dea7f@[193.63.251.24]> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: snort-users-admin () lists sourceforge net Errors-To: snort-users-admin () lists sourceforge net X-BeenThere: snort-users () lists sourceforge net X-Mailman-Version: 2.0.5 Precedence: bulk List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help> List-Post: <mailto:snort-users () lists sourceforge net> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-users-request () lists sourceforge net?subject=subscribe>List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe>List-Archive: <https://lists.sourceforge.net/archives//snort-users/> X-Original-Date: Wed, 19 Sep 2001 19:39:43 +0800 if anyone wants to see nimda in action (and you haven't already.) try going to this site.. http://203-236-233-27.rev.nextel.co.kr/ whatever you do, don't run the readme.exe file....(assuming you are on windows..) rgds Frank _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Nimda in action deplorable stuff this... Franki (Sep 19)
- RE: Nimda in action deplorable stuff this... ktimm (Sep 19)