[Dshield] Shell-Autoresponder for Apache

Jochen Erwied jochen at erwied.de
Tue Nov 13 21:09:31 GMT 2001


Inspired by the perlscript root.exe and with the help of NSpyProxy
(fake-proxy for servers written in Java) I put together a shell-script
which notifies the administrator of his infected webserver.

Sending mails to infected servers is - IMHO - not the right way, because
it's not read anyway. A nice, flashy messagebox is much more effective.

The script comes without warranties. Use it at your own risk.

It does basically nothing but exploit the security hole in IIS and gets it
IP-address from an already infected host. If successful, a message is
displayed via 'net send 127.0.0.1' and 'net send *'.

Invocation is done the following way (if anybody has a more elegant
solution, feel free to ask me:)

RewriteEngine On
RewriteRule ^/.*/cmd\.exe.* /cgi-bin/nimda-action [PT]
RewriteRule ^/.*/root\.exe.* /cgi-bin/nimda-action [PT]
RewriteRule ^/.*/.dmin\.dll.* /cgi-bin/nimda-action [PT]
RewriteRule ^/.*/.dmin\.dll.* /cgi-bin/nimda-action [PT]

Script as attachment. Local modifications required, of course.

-- 
Jochen Erwied     | home: jochen at erwied.de     +49-208-38800-18, FAX: -19
Sauerbruchstr. 17 | work: joe at mbs-software.de  +49-2151-7294-24, FAX: -50
D-45470 Muelheim  | this place is for rent. contact me for details!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strike.sh
Type: application/x-sh
Size: 1954 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20011113/ba8a4446/strike.sh


More information about the list mailing list