[Snort-users] Nimda in action deplorable stuff this...

ktimm at ...651... ktimm at ...651...
Wed Sep 19 09:45:03 EDT 2001


Check out gaurdian , snort combination

On Wed, 19 Sep 2001, Franki wrote:

> sorry mate, I went there on a windows 2000 box that has IIS running,
> (testing perl scripts)
> 
> and when it asked me to download the file, I did, saved it to my desktop,
> and scanned it with innoculate, (didn't find anything) then zipped it so I
> wouldn't accidentally run it, and deleted the original...
> 
> I was going to all the sites from my logs to look for email address's to
> warn people about their server when I came accross them... I clicked cancel
> when it asked to download on each one, and had no problems...
> 
> 
> I thought I would mention,, I have been goin to the pages of the IP's
> showing up in the logs, so as to get some real email address's instead of
> guess...
> 
> Most of the pages that came up, were default NT4 or 2000 pages, ie these
> people don't even know they are running a web server...  also, a port scan
> of them show that most of them didn't even have firewalls around them,,, and
> had at least 20 or more ports listening on them...
> 
> 
> That is deplorable lack of though into security...
> 
> just thought I'd mention it.....
> 
> 
> Does anyone have a small perl/shell script that can use ipchains to block
> any ip that requests cmd.exe, root.exe, admin.dll etc etc???   sometime like
> that would be small and lite and much less impact on the systems then
> snort.... and just as effective in this case....
> 
> anyone??
> 
> 
> rgds
> 
> Frank
> 
> -----Original Message-----
> From: Travis Farmer [mailto:travis5765 at ...125...]
> Sent: Wednesday, 19 September 2001 11:40 PM
> To: frankieh at ...2806...
> Subject: Re: [Snort-users] Nimda in action
> 
> 
> Thought i sent a message but i guesst not.
> Just a note, the file may autoload on some machines.
> 
> 
> I may have been infected but i'm not sure yet. the report at symantec of
> what this worm does seems to have not taken place on my computer.
> I do have a copy that i transfered from the internet temp to a Linux box for
> safe keeping in case somebody wants a copy for study.
> 
> Interestingly, i think the reason i was "protected" was that media player
> was the application chosen by windows to "play" it. as it was an invalid
> media file, it stopped proccess. I still have to confirm as to if i truly am
> safe or not. a few tests here and there. i changed all referances to my SMTP
> server to a bogus ip and started up Zone Alarm so any internet traffic that
> i don't say "yes" to will be haulted.
> 
> ~Travis
> 
> 
> >From: "Franki" <frankieh at ...2806...>
> >Reply-To: <frankieh at ...2806...>
> >To: <snort-users at lists.sourceforge.net>
> >Subject: [Snort-users] Nimda in action
> >Date: Wed, 19 Sep 2001 19:39:43 +0800
> >MIME-Version: 1.0
> >Received: from [216.136.171.252] by hotmail.com (3.2) with ESMTP id
> >MHotMailBD71D20C006340042A18D888ABFCF0F20; Wed, 19 Sep 2001 04:52:45 -0700
> >Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net)by
> >usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id
> >15jfpl-0006BE-00; Wed, 19 Sep 2001 04:48:05 -0700
> >Received: from [202.165.70.4] (helo=freddie.vianet.net.au)by
> >usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id
> >15jfpO-00066y-00for <snort-users at lists.sourceforge.net>; Wed, 19 Sep 2001
> >04:47:42 -0700
> >Received: from laptop (per2-46.vianet.net.au [202.165.72.174])by
> >freddie.vianet.net.au (8.9.3/8.9.2) with SMTP id TAA08104for
> ><snort-users at lists.sourceforge.net>; Wed, 19 Sep 2001 19:47:37 +0800
> >From snort-users-admin at lists.sourceforge.net Wed, 19 Sep 2001 04:53:48
> >-0700
> >Message-ID: <MCEKJDCFAKOIACBMPEICOEIKEEAA.frankieh at ...2806...>
> >X-Priority: 3 (Normal)
> >X-MSMail-Priority: Normal
> >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
> >Importance: Normal
> >In-Reply-To: <a05100300b7ce249dea7f@[193.63.251.24]>
> >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
> >Sender: snort-users-admin at lists.sourceforge.net
> >Errors-To: snort-users-admin at lists.sourceforge.net
> >X-BeenThere: snort-users at lists.sourceforge.net
> >X-Mailman-Version: 2.0.5
> >Precedence: bulk
> >List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>
> >List-Post: <mailto:snort-users at lists.sourceforge.net>
> >List-Subscribe:
> ><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-us
> ers-request at lists.sourceforge.net?subject=subscribe>
> >List-Id: Snort users talk about... Snort!
> ><snort-users.lists.sourceforge.net>
> >List-Unsubscribe:
> ><https://lists.sourceforge.net/lists/listinfo/snort-users>,<mailto:snort-us
> ers-request at lists.sourceforge.net?subject=unsubscribe>
> >List-Archive: <https://lists.sourceforge.net/archives//snort-users/>
> >X-Original-Date: Wed, 19 Sep 2001 19:39:43 +0800
> >
> >
> >if anyone wants to see nimda in action (and you haven't already.)
> >
> >try going to this site..
> >
> >http://203-236-233-27.rev.nextel.co.kr/
> >
> >whatever you do, don't run the readme.exe file....(assuming you are on
> >windows..)
> >
> >rgds
> >
> >Frank
> >
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list