Vulnerability Development mailing list archives

RE: Publishing Nimda Logs

From: "Emre Yildirim" <emre () uab edu>
Date: Wed, 8 May 2002 20:49:05 -0500 (CDT)

You know what would be really cool?  A worm that installed Linux and/or
 Apache on those machines, while keeping all the previous settings,
such as  the webroot, and publisher permissions, all that good stuff.
No, I didn't  insinuate that it would be legal, not in the least, but
it would be cool!

How about it?  Anyone out there care to knock together a script that'll
 pull IIS settings out of the registry, download and install Apache
with the  same settings, disable IIS, spend (since I've already pulled
all this other  crap out of my butt, lets see if we can find a number
also) 24 hours  scanning for other vulnerable hosts, and then restart
the machine?  I think  the only big challenge would be converting SSL
settings, and maybe,  ensuring the ASP files still work.  Although,
isn't there a module for  using ASP under Apache now?


That is worse than infecting machines with a worm.  Some people still don't
know much about Apache.  They'll just wake up one day and realize their
server runs on different software, and reinstall IIS/Windows.  That costs
time and money (some people could even get fired because of this).  It also
creates lots of unnecessary confusion (i.e. people calling the FBI thinking
they got hacked).  What about proprietary database software that was
specifically written for IIS?  You'll just break things.

The best solution is to educate people who use Microsoft products about
security.  Most of these nimda servers don't even run web pages.  They're
just DSL/cable hosts, where the owner decided to install windows on their
computers, and doesnt have a clue that a webserver is running.  The ISPs
should be more responsive to complaints as well -- it shouldn't require the
media to blow things out of proportion to make people aware of problems like
these.

Just my $0.01 on this thread (which has been discussed/debated a zillion
times by now).


-- 
Emre Yildirim, <insert job title here>
emre.yildirim () us army mil | emre () uab edu

Current thread:

Re: Publishing Nimda Logs, (continued)
- - Re: Publishing Nimda Logs Raistlin (May 08)
- Fw: Publishing Nimda Logs Knud Erik Højgaard (May 08)
- RE: Publishing Nimda Logs Healy, S. S., CTM2 (May 08)
  - Re: Publishing Nimda Logs Knud Erik Højgaard (May 08)
  - is: greyhat virus was Re: Publishing Nimda Logs Matthew McGehrin (May 08)
  - Re: Publishing Nimda Logs Meritt James (May 08)
  - Re: Publishing Nimda Logs Jordan Frank (May 08)
    - Re: Publishing Nimda Logs Valdis . Kletnieks (May 09)
    - Re: Publishing Nimda Logs John Dow (May 09)
- RE: Publishing Nimda Logs amonotod (May 08)
  - RE: Publishing Nimda Logs Emre Yildirim (May 08)
  - RE: Publishing Nimda Logs .JanusAurelius (May 08)
- RE: Publishing Nimda Logs amonotod (May 09)
- RE: Publishing Nimda Logs Seymour, Keith (May 09)