[Snort-users] Nimda infections..

Franki frankieh at ...2806...
Thu Sep 20 09:12:04 EDT 2001

well, I now have a linux/unix shell script that looks for root.exe, cmd.exe,
default.ida and Admin.dll in my server error logs...

if it finds them, it adds the asking ip to ipchains deny rules...

it also writes the list of offending ip's to a file,, and there is now 2900
ip's in that file..

I would love to know an automated way of letting the owners know, but I
can't think of any way....

still, between this and the root.exe shutdown php thing, its better then
nothing and has speed the server up alittle...

anyone have any suggestions????  how can I automate telling sysadmins that
their servers are infected via just their ip's??

spose I could reverse dns them, then use get to get their default web pages,
then parse it for email address's then send them all emails, but that would
send thousands of emails to Microsoft, since the majority of pages I saw
were default microsoft iis pages....

so whats to do??



-----Original Message-----
From: Tom Rowan [mailto:tom.rowan at ...3394...]
Sent: Friday, 21 September 2001 1:02 AM
To: 'frankieh at ...2806...'
Subject: RE: [Snort-users] Nimda infections..

SO. What do we do about it!?

> -----Original Message-----
> From: Franki [mailto:frankieh at ...2806...]
> Sent: 20 September 2001 07:56
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Nimda infections..
> Hi all,
> I just thought I'd mention something,,
> last night I posed a URL to an infected server to show people what it
> does...
> The reason I only gave a token warning about it, was because
> in my case, the
> file asked to be downloaded and where I wanted to save it.
> It turns out that it does that because I have every MS
> updated loaded on
> it..
> if you have a version of IE prior to 6 (or an unpatched
> earlier version),
> and you go to a site thats infected by Nimda,, it will
> autodownload the .eml
> file and you get infected..
> I was unaware of this last night and figured everyone would
> be asked if they
> wanted to download the file,,, to which you could cancel...
> My apologies..
> rgds
> Frank
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list