RE: Worms and CScript/WScript

From: verbalat_private
Date: Tue May 21 2002 - 15:17:37 PDT

  • Next message: Michael Wright: "RE: Worms and CScript/WScript"

    Sure you could, but if they get that far, you're in trouble as it is.
    You could adjust the ntfs perms on the files listed below to
    explicitly allow rights only to certain users; however, who knows
    what ill effects that could have in future application
    Ultimately, once they're in, they're in.  A person can't just execute
    arbitrary code on a remote host without the availability of some
    exploit on the perimeter.  Why not stop them there first?  (hardening
    in the event of perimeter penetration is advised additionally as well)
    Wscript.exe and Cscript.exe 	
    	The host.
     	The WSH Shell Object.
     	The Scripting Runtime- contains the FileSystemObject and the
    powerful Dictionary Object. 
     	Contains the Global Modules, Classes, and the Regular Expression
     	New with WSH 5.6, handles the new authenticity and certification
    methods for scripts. 
     	Contains numerous Shell Extensions that are accessible from WSH. 
     	This is the Microsoft port of JavaScript, originally built by
    Netscape. With only a few exceptions it looks and behaves like
    -----Original Message-----
    From: Blake Frantz [mailto:blakeat_private]
    Sent: Tuesday, May 21, 2002 4:45 PM
    To: incidentsat_private
    Subject: Worms and CScript/WScript
    A majority of the worms (even SQLsnake) that have been going around
    lately take advantage of cscript and wscript.  What ramifications
    be felt on vanilla installs of common services (MS SQL, Exchange, IIS,
    etc.) if these two files were moved or deleted?  It seems like a
    easy way to help mitigate the 'success' of Internet worms.  Any
    Blake Frantz  A+, CNA, CCNA, MCSE
    Network Security Analyst
    720 Industrial Drive #121
    Cary, IL 60013
    phn: (847)-594-5111 x5734
    fax: (847)-639-0097
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue May 21 2002 - 15:25:12 PDT