[Snort-users] Answer to proxy question and logging
securitygauntlet at ...3130...
Fri Sep 21 08:08:04 EDT 2001
This is in response Thomas Nilsen posting to snort users group
This Worm sets up an SMTP server utilizing the MIME exploit in IE and
connecting to Outlook Express on the desktop. Even if the Express is not
configed. The proxy will ONLY log the port for which you have proxy set to
such as 8080. This exploit is taken advantage of when a person goes to an
infected site. If you load up NortonsAV with the latest def and then go to
one of these sites (URL provided on request). Nortons will activate upon
browsing to theses sites and give you an "Access denied" error message when
the site tries to send a Java script to your machine. This script sets up
the Worm and the exploit.
Good luck all. This is a VERY VERY VERY nasty Worm. Most cases one needs to
burn down and rebuild ANY infected machines especially IIS servers. Just no
real way to clean ALL the Junk effectively. This is a recommendation from
TruSecure who runs a World Class Research lab for this stuff.
Wayne T Work
Manager of Information Systems Security
<http://wwork@...3179.../>wwork at ...3550...<http://wwork@...3179.../>com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users