[Snort-users] Nimda in action deplorable stuff this...

Jay and Lynn Withrow jandlynn at ...125...
Wed Sep 19 09:30:04 EDT 2001


I am now redirecting all Code Red request back to themselves, so maybe it 
will get lost in a circular referance, as I am redirecting it back to itself 
exactly as the request was sent.

I plan on doing the same for the nimda worm as soon as I figure out how to 
map +dir as a file extension to the asp engine, it doesn't seem to like the 
+ as an extension delimiter, and it keeps appending a .

This way, when a request is made for c+dir, they will actually be requesting 
a file named c with the extension +dir (c+dir).

- Jason


>From: "Franki" <frankieh at ...2806...>
>Reply-To: <frankieh at ...2806...>
>To: "Travis Farmer" <travis5765 at ...125...>
>CC: <snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] Nimda in action  deplorable stuff this...
>Date: Wed, 19 Sep 2001 23:51:00 +0800
>
>sorry mate, I went there on a windows 2000 box that has IIS running,
>(testing perl scripts)
>
>and when it asked me to download the file, I did, saved it to my desktop,
>and scanned it with innoculate, (didn't find anything) then zipped it so I
>wouldn't accidentally run it, and deleted the original...
>
>I was going to all the sites from my logs to look for email address's to
>warn people about their server when I came accross them... I clicked cancel
>when it asked to download on each one, and had no problems...
>
>
>I thought I would mention,, I have been goin to the pages of the IP's
>showing up in the logs, so as to get some real email address's instead of
>guess...
>
>Most of the pages that came up, were default NT4 or 2000 pages, ie these
>people don't even know they are running a web server...  also, a port scan
>of them show that most of them didn't even have firewalls around them,,, 
>and
>had at least 20 or more ports listening on them...
>
>
>That is deplorable lack of though into security...
>
>just thought I'd mention it.....
>
>
>Does anyone have a small perl/shell script that can use ipchains to block
>any ip that requests cmd.exe, root.exe, admin.dll etc etc???   sometime 
>like
>that would be small and lite and much less impact on the systems then
>snort.... and just as effective in this case....
>
>anyone??
>
>
>rgds
>
>Frank
>
>-----Original Message-----
>From: Travis Farmer [mailto:travis5765 at ...125...]
>Sent: Wednesday, 19 September 2001 11:40 PM
>To: frankieh at ...2806...
>Subject: Re: [Snort-users] Nimda in action
>
>
>Thought i sent a message but i guesst not.
>Just a note, the file may autoload on some machines.
>
>
>I may have been infected but i'm not sure yet. the report at symantec of
>what this worm does seems to have not taken place on my computer.
>I do have a copy that i transfered from the internet temp to a Linux box 
>for
>safe keeping in case somebody wants a copy for study.
>
>Interestingly, i think the reason i was "protected" was that media player
>was the application chosen by windows to "play" it. as it was an invalid
>media file, it stopped proccess. I still have to confirm as to if i truly 
>am
>safe or not. a few tests here and there. i changed all referances to my 
>SMTP
>server to a bogus ip and started up Zone Alarm so any internet traffic that
>i don't say "yes" to will be haulted.
>
>~Travis
>
>
> >From: "Franki" <frankieh at ...2806...>
> >Reply-To: <frankieh at ...2806...>
> >To: <snort-users at lists.sourceforge.net>
> >Subject: [Snort-users] Nimda in action
> >Date: Wed, 19 Sep 2001 19:39:43 +0800
> >MIME-Version: 1.0
> >Received: from [216.136.171.252] by hotmail.com (3.2) with ESMTP id
> >MHotMailBD71D20C006340042A18D888ABFCF0F20; Wed, 19 Sep 2001 04:52:45 
>-0700
> >Received: from localhost ([127.0.0.1] 
>helo=usw-sf-list1.sourceforge.net)by
> >usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id
> >15jfpl-0006BE-00; Wed, 19 Sep 2001 04:48:05 -0700
> >Received: from [202.165.70.4] (helo=freddie.vianet.net.au)by
> >usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id
> >15jfpO-00066y-00for <snort-users at lists.sourceforge.net>; Wed, 19 Sep 2001
> >04:47:42 -0700
> >Received: from laptop (per2-46.vianet.net.au [202.165.72.174])by
> >freddie.vianet.net.au (8.9.3/8.9.2) with SMTP id TAA08104for
> ><snort-users at lists.sourceforge.net>; Wed, 19 Sep 2001 19:47:37 +0800
> >From snort-users-admin at lists.sourceforge.net Wed, 19 Sep 2001 04:53:48
> >-0700
> >Message-ID: <MCEKJDCFAKOIACBMPEICOEIKEEAA.frankieh at ...2806...>
> >X-Priority: 3 (Normal)
> >X-MSMail-Priority: Normal
> >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
> >Importance: Normal
> >In-Reply-To: <a05100300b7ce249dea7f@[193.63.251.24]>
> >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
> >Sender: snort-users-admin at lists.sourceforge.net
> >Errors-To: snort-users-admin at lists.sourceforge.net
> >X-BeenThere: snort-users at lists.sourceforge.net
> >X-Mailman-Version: 2.0.5
> >Precedence: bulk
> >List-Help: 
><mailto:snort-users-request at lists.sourceforge.net?subject=help>
> >List-Post: <mailto:snort-users at lists.sourceforge.net>
> >List-Subscribe:
> ><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-us
>ers-request at lists.sourceforge.net?subject=subscribe>
> >List-Id: Snort users talk about... Snort!
> ><snort-users.lists.sourceforge.net>
> >List-Unsubscribe:
> ><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-us
>ers-request at lists.sourceforge.net?subject=unsubscribe>
> >List-Archive: <https://lists.sourceforge.net/archives//snort-users/>
> >X-Original-Date: Wed, 19 Sep 2001 19:39:43 +0800
> >
> >
> >if anyone wants to see nimda in action (and you haven't already.)
> >
> >try going to this site..
> >
> >http://203-236-233-27.rev.nextel.co.kr/
> >
> >whatever you do, don't run the readme.exe file....(assuming you are on
> >windows..)
> >
> >rgds
> >
> >Frank
> >
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp





More information about the Snort-users mailing list