[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nimda

To: Rob Hunter <robh at za.uu.net>
Subject: Re: nimda
From: Joseph Begumisa <begj at eahd.or.ug>
Date: Tue, 25 Sep 2001 19:56:15 +0300 (EAT)
Cc: <afnog at afnog.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: afnog-archive at lists.eahd.or.ug
Delivered-To: <afnog at afnog.org>
In-Reply-To: <20010925151103.S64588-200000 at hill.noc.uunet.co.za>
Sender: owner-afnog at uol.co.ug

> How does this bring the amount of attempts down?

The attacking server makes a request for default.ida. and the webserver
says "I don't have it but you can find it at 127.0.0.1" the
attacking server then requests default.ida from itself. So you are telling
it where to get it. otherwise the overview of the web server attack
propagation of nimda can be found at http://www.incidents.org/react/nimda.php
then you might see why after 2 or 1 more try it will give up.



> If you're going to keep a script on your box doing work when it finds
> these attempts, you may want to try the attached script (or something
> similar) which could possibly bring the amount of infected hosts down by
> some miniscule percentage (hey, it's a start).

i have run top after putting in those few lines and i did not see apache
use up any considerable amount of cpu resources. In any case it was just
like it had been prior to the nimda worm.

> This one basically uses the same IIS exploit to connect back to the
> offending party, sends a winpopup with a predetermined message (e.g. Your
> machine is infected with Code Red, please go to http://blahblahblah to fix
> it) and it also opens a browser window with a predetermined url.

Now this would be good so that we could get the number of computers
infected down, however, here where bandwidth is an issue that bit about
your machine connecting back to the infected machine(s).........
how many instances of perl would that be by the way?

> The script was written for Code Red, I haven't actually checked yet if it
> catches Nimda stuff.

Please check it out and post your results here so that we can all know the
outcome while i look through the script and get the mechanism clear.

Joseph.






-----
This is the afnog mailing list, managed by Majordomo 1.94.4

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org

Prev by Date: Re: nimda
Next by Date: [eltonic40 at yahoo.com: RE: Could you take a look at this?]
Prev by thread: Re: nimda
Next by thread: [eltonic40 at yahoo.com: RE: Could you take a look at this?]
Index(es):
- Date
- Thread