Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Nimda infections..

From: "Franki" <frankieh () vianet net au>
Date: Fri, 21 Sep 2001 00:03:09 +0800
well, I now have a linux/unix shell script that looks for root.exe, cmd.exe,
default.ida and Admin.dll in my server error logs...

if it finds them, it adds the asking ip to ipchains deny rules...

it also writes the list of offending ip's to a file,, and there is now 2900
ip's in that file..

I would love to know an automated way of letting the owners know, but I
can't think of any way....

still, between this and the root.exe shutdown php thing, its better then
nothing and has speed the server up alittle...


anyone have any suggestions????  how can I automate telling sysadmins that
their servers are infected via just their ip's??

spose I could reverse dns them, then use get to get their default web pages,
then parse it for email address's then send them all emails, but that would
send thousands of emails to Microsoft, since the majority of pages I saw
were default microsoft iis pages....

so whats to do??


rgds

Frank

-----Original Message-----
From: Tom Rowan [mailto:tom.rowan () securityalchemy net]
Sent: Friday, 21 September 2001 1:02 AM
To: 'frankieh () vianet net au'
Subject: RE: [Snort-users] Nimda infections..


SO. What do we do about it!?


-----Original Message-----
From: Franki [mailto:frankieh () vianet net au]
Sent: 20 September 2001 07:56
To: snort-users () lists sourceforge net
Subject: [Snort-users] Nimda infections..


Hi all,

I just thought I'd mention something,,

last night I posed a URL to an infected server to show people what it
does...


The reason I only gave a token warning about it, was because
in my case, the
file asked to be downloaded and where I wanted to save it.

It turns out that it does that because I have every MS
updated loaded on
it..

if you have a version of IE prior to 6 (or an unpatched
earlier version),
and you go to a site thats infected by Nimda,, it will
autodownload the .eml
file and you get infected..


I was unaware of this last night and figured everyone would
be asked if they
wanted to download the file,,, to which you could cancel...


My apologies..


rgds

Frank


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: