RE: Worms and CScript/WScript

From: verbalat_private
Date: Tue May 21 2002 - 15:17:37 PDT

Next message: Michael Wright: "RE: Worms and CScript/WScript"

Previous message: Ryan Russell: "Re: Worms and CScript/WScript"
Maybe in reply to: Blake Frantz: "Worms and CScript/WScript"
Next in thread: Michael Wright: "RE: Worms and CScript/WScript"
Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sure you could, but if they get that far, you're in trouble as it is.
You could adjust the ntfs perms on the files listed below to
explicitly allow rights only to certain users; however, who knows
what ill effects that could have in future application
installation/use.

Ultimately, once they're in, they're in.  A person can't just execute
arbitrary code on a remote host without the availability of some
exploit on the perimeter.  Why not stop them there first?  (hardening
in the event of perimeter penetration is advised additionally as well)

Wscript.exe and Cscript.exe 	
	The host.
Wshom.ocx
 	The WSH Shell Object.
Scrrun.dll
 	The Scripting Runtime- contains the FileSystemObject and the
powerful Dictionary Object. 
VBScript.dll
 	Contains the Global Modules, Classes, and the Regular Expression
Object
Wshext.dll
 	New with WSH 5.6, handles the new authenticity and certification
methods for scripts. 
Shdocvw.dll
 	Contains numerous Shell Extensions that are accessible from WSH. 
JScript.dll
 	This is the Microsoft port of JavaScript, originally built by
Netscape. With only a few exceptions it looks and behaves like
JavaScript.


-----Original Message-----
From: Blake Frantz [mailto:blakeat_private]
Sent: Tuesday, May 21, 2002 4:45 PM
To: incidentsat_private
Subject: Worms and CScript/WScript

Hello,

A majority of the worms (even SQLsnake) that have been going around
lately take advantage of cscript and wscript.  What ramifications
would
be felt on vanilla installs of common services (MS SQL, Exchange, IIS,
etc.) if these two files were moved or deleted?  It seems like a
fairly
easy way to help mitigate the 'success' of Internet worms.  Any
thoughts?

Blake Frantz  A+, CNA, CCNA, MCSE
Network Security Analyst
mc.net
720 Industrial Drive #121
Cary, IL 60013
phn: (847)-594-5111 x5734
fax: (847)-639-0097
mailto:blakeat_private
http://www.mc.net



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Michael Wright: "RE: Worms and CScript/WScript"
Previous message: Ryan Russell: "Re: Worms and CScript/WScript"
Maybe in reply to: Blake Frantz: "Worms and CScript/WScript"
Next in thread: Michael Wright: "RE: Worms and CScript/WScript"
Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 21 2002 - 15:25:12 PDT