Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Publishing Nimda Logs

From: Clinton Smith <security () infosecwest com>
Date: Thu, 09 May 2002 08:22:25 +0800
brossini () csc com au wrote:


I agree, these machines NEED to be cleaned and secured, OR removed from the
network.



In a perfect world Microsoft , Apache etc could include a feature into their
webservers that (via the exploit) produced a "net send" command to be run on the
infected system telling them to patch up.

eg.
infected system requests dodgy URL eg:      GET /scripts/root.exe?/c+dir
the system then responds by requesting a net send command to the Administrator.
(it might even be possible to do it via a URL rewriting/redirection rule)

no - this will not fix all of the problems
yes - it is probably illegal - or at the least very grey.


an alternative to the above and public disclosure of infected systems would be to log to a
communal cgi / database at Microsoft - as it is they who has gifted the world with
this issue. After the addresses have been collected - let them take an active role in
eradicating this menace.

something like... (for apache)

<Location /scripts/root.exe*>
    Deny from all
    ErrorDocument 403 http://abuse.microsoft.com/iis_abuse_log.cgi
</Location>

I look at this problem as the computer equivalent of smallpox - without cooperation
and some big backers - there is little hope of defeating it in sporadic and isolated attempts.


Clinton
Previous By Date Next
Previous By Thread Next

Current thread: