|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Mark Vinten (mvinten
CALUK.COM)Date: Wed Sep 19 2001 - 11:05:43 CDT
It depends on who was the originally infection point and how much
priviledges they have over that machine within your network. One of the
things it does is to find any type of share that it has write access to and
then places it into every directory.
Also, it appears that NT/2000-based machines with their default admin shares
are even more vunerable if it is an administrative account that starts the
population (as the C$/D$, etc shares are full control by default).
____________
Mark Vinten ( mvintencaluk.com )
Computer Applications Limited
-----Original Message-----
From: Buck Hicks [mailto:hicksbRITSEMA.COM]
Sent: 19 September 2001 15:37
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Re: Increase of scanning.
My Win2K machine was infected last night. The odd thing is that I use
Netscape for viewing HTML and reading mail. This is a relatively new
install and I hadn't taken the time to install my virus scanner yet.
Anyway, I turned on my computer yesterday and there was an icon on my
desktop that looked like an envelope with the name of readme. I knew not
to open it based on the warnings from these lists. As soon as I tried to
load and run Norton I started getting warnings left and right.
I can not figure out how this attachment was on my desktop, I use
Windows 2000 workstation with a 14 letter password that is not a know
word and no one else logs onto the computer but me. Any ideas?
-----Original Message-----
From: Chad Smykay [mailto:csmykayRACKSPACE.COM]
Sent: Tuesday, September 18, 2001 1:54 PM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Increase of scanning.
Apparently there is a new worm called "nimda". Here is some REALLY
general
info:
http://www.f-secure.com/v-descs/nimda.shtml
Other links in regards to this:
http://www.cert.org/current/current_activity.html#port80
http://www.cert.org/advisories/CA-2001-11.html
However I wanted to review what I have found so far. From what I can
tell
there is an "mmc.exe" process or processes that is being run when there
is
NO other users logged in and no such process being spawned.
Also it appears to be doing NetBIOS scans at the same time it is doing
these
IP range scans. By monitoring a current server that is running this
exploit. I see about 20-30 "net.exe and "net1.exe" being spawned. Most
likely they are also trying to do NetBIOS scans either on the current
network they are on or other IP Ranges.
The only thing that we can thing to do at this time is to block this
traffic
VIA IDS.
It also appears that they are attempting to send this new "readme.exe"
via
IIS SMTP Server, but we can not confirm that right now. Anyone?
Here is a snippet from the log files that if you probably check right
now on
your server you will see:
<-- Begin Logfile snip
[Tue Sep 18 08:13:17 2001] [error] [client 195.124.124.237] File does
not
exist: /usr/local/etc/httpd/sites/default.ida
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist: /usr/local/etc/httpd/sites/scripts/root.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist: /usr/local/etc/httpd/sites/MSADC/root.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist: /usr/local/etc/httpd/sites/c/winnt/system32/cmd.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist: /usr/local/etc/httpd/sites/d/winnt/system32/cmd.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist: /usr/local/etc/httpd/sites/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist:
/usr/local/etc/httpd/sites/_vti_bin/..%5c../..%5c../..%5c../winnt/system
32/c
md.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist:
/usr/local/etc/httpd/sites/_mem_bin/..%5c../..%5c../..%5c../winnt/system
32/c
md.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist:
/usr/local/etc/httpd/sites/msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á
../
winnt/system32/cmd.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist: /usr/local/etc/httpd/sites/scripts/..Á ../winnt/system32/cmd.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist: /usr/local/etc/httpd/sites/scripts/..À¯../winnt/system32/cmd.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist: /usr/local/etc/httpd/sites/scripts/..Áoe../winnt/system32/cmd.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist: /usr/local/etc/httpd/sites/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
exist: /usr/local/etc/httpd/sites/scripts/..%2f../winnt/system32/cmd.exe
<-- End logfile snip
Please note that the above is from a Linux Web server but you will see
the
same across the board.
Here is another snip for a Windows NT server logfile
<-- Begin log snip
4:48:02 209.61.190.233 GET /scripts/root.exe 403
14:48:02 209.61.190.233 GET /MSADC/root.exe 200
14:48:31 209.61.187.113 GET /scripts/root.exe 403
14:48:31 209.61.187.113 GET /MSADC/root.exe 200
14:48:31 209.61.187.113 GET /MSADC/root.exe 502
14:48:31 209.61.187.113 GET /MSADC/Admin.dll 500
14:48:31 209.61.187.113 GET /c/winnt/system32/cmd.exe 404
14:48:31 209.61.187.113 GET /d/winnt/system32/cmd.exe 404
14:48:31 209.61.187.113 GET /scripts/..%5c../winnt/system32/cmd.exe 403
14:48:31 209.61.187.113 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
14:48:31 209.61.187.113 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
14:48:31 209.61.187.113 GET
/msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe
404
14:48:31 209.61.187.113 GET /scripts/..Á ../winnt/system32/cmd.exe 403
14:48:31 209.61.187.113 GET /scripts/winnt/system32/cmd.exe 403
14:48:31 209.61.187.113 GET /scripts/../../winnt/system32/cmd.exe 403
14:48:31 209.61.187.113 GET /scripts/..\../winnt/system32/cmd.exe 403
14:48:31 209.61.187.113 GET /scripts/..S5c../winnt/system32/cmd.exe 403
14:48:31 209.61.187.113 GET /scripts/..S5c../winnt/system32/cmd.exe 403
14:48:31 209.61.187.113 GET /scripts/..%5c../winnt/system32/cmd.exe 403
14:48:31 209.61.187.113 GET /scripts/..%2f../winnt/system32/cmd.exe 403
<-- End log snip
If you have ANY addtional info please share with everyone.
Kind Regards,
Chad Smykay
Rackspace Managed Hosting
______________________________________
Chad Smykay
Sys Admin Complex Division
Rackspace Managed Hosting
800-961-4454 ext. 1249.
______________________________________
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]