[Snort-users] Nimda in action deplorable stuff this...

Franki frankieh at ...2806...
Wed Sep 19 08:59:08 EDT 2001


sorry mate, I went there on a windows 2000 box that has IIS running,
(testing perl scripts)

and when it asked me to download the file, I did, saved it to my desktop,
and scanned it with innoculate, (didn't find anything) then zipped it so I
wouldn't accidentally run it, and deleted the original...

I was going to all the sites from my logs to look for email address's to
warn people about their server when I came accross them... I clicked cancel
when it asked to download on each one, and had no problems...


I thought I would mention,, I have been goin to the pages of the IP's
showing up in the logs, so as to get some real email address's instead of
guess...

Most of the pages that came up, were default NT4 or 2000 pages, ie these
people don't even know they are running a web server...  also, a port scan
of them show that most of them didn't even have firewalls around them,,, and
had at least 20 or more ports listening on them...


That is deplorable lack of though into security...

just thought I'd mention it.....


Does anyone have a small perl/shell script that can use ipchains to block
any ip that requests cmd.exe, root.exe, admin.dll etc etc???   sometime like
that would be small and lite and much less impact on the systems then
snort.... and just as effective in this case....

anyone??


rgds

Frank

-----Original Message-----
From: Travis Farmer [mailto:travis5765 at ...125...]
Sent: Wednesday, 19 September 2001 11:40 PM
To: frankieh at ...2806...
Subject: Re: [Snort-users] Nimda in action


Thought i sent a message but i guesst not.
Just a note, the file may autoload on some machines.


I may have been infected but i'm not sure yet. the report at symantec of
what this worm does seems to have not taken place on my computer.
I do have a copy that i transfered from the internet temp to a Linux box for
safe keeping in case somebody wants a copy for study.

Interestingly, i think the reason i was "protected" was that media player
was the application chosen by windows to "play" it. as it was an invalid
media file, it stopped proccess. I still have to confirm as to if i truly am
safe or not. a few tests here and there. i changed all referances to my SMTP
server to a bogus ip and started up Zone Alarm so any internet traffic that
i don't say "yes" to will be haulted.

~Travis


>From: "Franki" <frankieh at ...2806...>
>Reply-To: <frankieh at ...2806...>
>To: <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] Nimda in action
>Date: Wed, 19 Sep 2001 19:39:43 +0800
>MIME-Version: 1.0
>Received: from [216.136.171.252] by hotmail.com (3.2) with ESMTP id
>MHotMailBD71D20C006340042A18D888ABFCF0F20; Wed, 19 Sep 2001 04:52:45 -0700
>Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net)by
>usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id
>15jfpl-0006BE-00; Wed, 19 Sep 2001 04:48:05 -0700
>Received: from [202.165.70.4] (helo=freddie.vianet.net.au)by
>usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id
>15jfpO-00066y-00for <snort-users at lists.sourceforge.net>; Wed, 19 Sep 2001
>04:47:42 -0700
>Received: from laptop (per2-46.vianet.net.au [202.165.72.174])by
>freddie.vianet.net.au (8.9.3/8.9.2) with SMTP id TAA08104for
><snort-users at lists.sourceforge.net>; Wed, 19 Sep 2001 19:47:37 +0800
>From snort-users-admin at lists.sourceforge.net Wed, 19 Sep 2001 04:53:48
>-0700
>Message-ID: <MCEKJDCFAKOIACBMPEICOEIKEEAA.frankieh at ...2806...>
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
>Importance: Normal
>In-Reply-To: <a05100300b7ce249dea7f@[193.63.251.24]>
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
>Sender: snort-users-admin at lists.sourceforge.net
>Errors-To: snort-users-admin at lists.sourceforge.net
>X-BeenThere: snort-users at lists.sourceforge.net
>X-Mailman-Version: 2.0.5
>Precedence: bulk
>List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>
>List-Post: <mailto:snort-users at lists.sourceforge.net>
>List-Subscribe:
><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-us
ers-request at lists.sourceforge.net?subject=subscribe>
>List-Id: Snort users talk about... Snort!
><snort-users.lists.sourceforge.net>
>List-Unsubscribe:
><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-us
ers-request at lists.sourceforge.net?subject=unsubscribe>
>List-Archive: <https://lists.sourceforge.net/archives//snort-users/>
>X-Original-Date: Wed, 19 Sep 2001 19:39:43 +0800
>
>
>if anyone wants to see nimda in action (and you haven't already.)
>
>try going to this site..
>
>http://203-236-233-27.rev.nextel.co.kr/
>
>whatever you do, don't run the readme.exe file....(assuming you are on
>windows..)
>
>rgds
>
>Frank
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp





More information about the Snort-users mailing list