RE: Publishing Nimda Logs

From: amonotod (amonotodat_private)
Date: Wed May 08 2002 - 07:06:28 PDT

Next message: Jose Nazario: "RE: Publishing Nimda Logs"

Previous message: Laurence Brockman: "Re: Publishing Nimda Logs"
Maybe in reply to: Deus, Attonbitus: "Publishing Nimda Logs"
Next in thread: Emre Yildirim: "RE: Publishing Nimda Logs"
Next in thread: Boyd Lynn Gerber: "Re: Publishing Nimda Logs"
Reply: Emre Yildirim: "RE: Publishing Nimda Logs"
Reply: .JanusAurelius: "RE: Publishing Nimda Logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----Original Message-----
From: Silcock, Stephen [mailto:stephen_silcockat_private]
Sent: Tuesday, May 07, 2002 9:35 PM
>I think many people are underestimating the potential for damage these
>machines hold...
<snip>
>I now have as a result a list of about 2000 infected, and therefore
>trivially exploitable hosts.  While some may be dynamic IP's and some may
>not be as trivially exploitable as it seems; 2000 is a good ballpark 
>figure.
>
>I could; if I had the time and the inclination knock up a DDoS network
>within the space of a day or two using that information - 2000 hosts is no
>small number.
<snip>
>The machines need to be cleaned and set up securely.  If the people 
>running them can't do it they have no business having an internet 
>connection; they're a liabiltiy to the rest of the internet community...

You know what would be really cool?  A worm that installed Linux and/or 
Apache on those machines, while keeping all the previous settings, such as 
the webroot, and publisher permissions, all that good stuff.  No, I didn't 
insinuate that it would be legal, not in the least, but it would be cool!

How about it?  Anyone out there care to knock together a script that'll 
pull IIS settings out of the registry, download and install Apache with the 
same settings, disable IIS, spend (since I've already pulled all this other 
crap out of my butt, lets see if we can find a number also) 24 hours 
scanning for other vulnerable hosts, and then restart the machine?  I think 
the only big challenge would be converting SSL settings, and maybe, 
ensuring the ASP files still work.  Although, isn't there a module for 
using ASP under Apache now?  

Hmmm... Whatever...

>S.   :)

amonotod

-- 
  `\|||/                     amonotod@
   (@ @)                     netscape.net
ooO_(_)_Ooo______________________________
_____|_____|_____|_____|_____|_____|_____|



__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

Next message: Jose Nazario: "RE: Publishing Nimda Logs"
Previous message: Laurence Brockman: "Re: Publishing Nimda Logs"
Maybe in reply to: Deus, Attonbitus: "Publishing Nimda Logs"
Next in thread: Emre Yildirim: "RE: Publishing Nimda Logs"
Next in thread: Boyd Lynn Gerber: "Re: Publishing Nimda Logs"
Reply: Emre Yildirim: "RE: Publishing Nimda Logs"
Reply: .JanusAurelius: "RE: Publishing Nimda Logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 08 2002 - 14:15:17 PDT