RE: plugin that will detect servers infected w/ Nimda worm

From: Matt Moore (mattat_private)
Date: Wed Sep 19 2001 - 02:35:50 PDT

Next message: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"

Previous message: Renaud Deraison: "Re: plugin that will detect servers infected w/ Nimda worm"
In reply to: Renaud Deraison: "Re: plugin that will detect servers infected w/ Nimda worm"
Next in thread: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
Reply: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> Which file is modified when the worm hits ? The web root or the root of
> the current virtual server ?

Probably both.

I've had conflicting reports on the infection method. Some have said the
worm inserts the javascript into *every* .htm, .html and .asp it finds
whereas one of the AV vendors (sophos) had a list of specific filenames that
it modified:

index.html
index.htm
index.asp
readme.html
readme.htm
readme.asp
main.html
main.htm
main.asp
default.html
default.htm
default.asp

http_get supplies a Host: header where a servername has been specified - is
it worth adding another request to the plugin which just uses the IP? (This
should view the web root in IIS?)

regards,

Matt






>
>
> Thanks,
>
> 				-- Renaud

Next message: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
Previous message: Renaud Deraison: "Re: plugin that will detect servers infected w/ Nimda worm"
In reply to: Renaud Deraison: "Re: plugin that will detect servers infected w/ Nimda worm"
Next in thread: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
Reply: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 02:35:45 PDT