Re: plugin that will detect servers infected w/ Nimda worm

From: Alan Pitts (ampat_private)
Date: Wed Sep 19 2001 - 07:49:51 PDT

Next message: Felix Huber: "Fw: New vulnerability in IIS4.0/5.0"

Previous message: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
In reply to: Renaud Deraison: "Re: plugin that will detect servers infected w/ Nimda worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Renaud Deraison writes:
 > On Tue, Sep 18, 2001 at 06:24:18PM -0400, Alan Pitts wrote:
 > > 
 > > Hi,
 > > 
 > > Attached is a .nasl plugin that will check to see if the server has
 > > been infected by the Nimda Worm.
 > > 
 > > This plugin will check the index page for readme.eml.
 > > 
 > > Please comment... I would like ideas on how to improve it.
 > 
 > Hi,
 > 
 > Matt Moore sent me the same plugins a few minutes before you :(

Glad to know that there are multiple people trying to get a plugin out
ASAP. :0)

 > 
 > I think that next time I'll give precedence to plugins sent to me via
 > the mailing list rather than sent to me directly. 
 > 
 > Anyway, let's comment the coding style (which is the purpose of this
 > mailing list after all).
 > 
 > 

Thanks for the suggestions! I knew there had to be a better way to
code this.

I had considered using egrep to check for the presence of the longer
JavaScript string that is appended to the files. My thought is the
test would be a more specific (maybe reduce false positives). However,
I could never really get a match using a regex that worked pretty well
w/ perl. Is it worth using egrep for the test ? 

 > (the argument "port" is needed so that NASL can then look in the KB if
 > the remote server running on that port supports HTTP/1.0 or /1.1).
 > 
 > Which makes me think : maybe doing your request is the way to go, as
 > it'd return the remote web root (not the root of a virtual server). 
 > 
 > Which file is modified when the worm hits ? The web root or the root of
 > the current virtual server ?

One of the people I work w/ has a honeypot that was recently
infected. He (Jared Allison) says that the worm has changed more than
just the files mentioned by Sophos. It looks like all files
w/.html, .htm, and .asp. That would mean that using http_get would
work just as well, yes ?

Suggestion: Maybe putting a pointer to the cert advisory would be
helpful for the user. http://www.cert.org/advisories/CA-2001-26.html

Cheers,
Alan

-- 
-----------------------------------------------------
Alan Pitts             |    E-Mail:  ampat_private
UUNet Technologies     |    Ph:      614.723.4954
-----------------------------------------------------

Next message: Felix Huber: "Fw: New vulnerability in IIS4.0/5.0"
Previous message: Matt Moore: "RE: plugin that will detect servers infected w/ Nimda worm"
In reply to: Renaud Deraison: "Re: plugin that will detect servers infected w/ Nimda worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 07:49:46 PDT