[Dshield] Nimda box reporting
lweast at leeclerk.org
Thu Aug 8 19:57:11 GMT 2002
google around for a nimda response script.
Someone has a script that uses the same vilnerability that allowed the
server to be infected with Nimda in the first place to create a popup
message on the server that it is infected.
As I remember it, it was a php script that listened on port 80 for a request
with the nimda signature and responded with an attack that utilized cmd "net
send" to send a message to the server console demanding that the server be
Code Redneck rings a bell but I can't find the script immediatly.
> -----Original Message-----
> From: Russell Washington [mailto:russ.washington at vaultsentry.com]
> Sent: Thursday, August 08, 2002 1:52 PM
> To: 'list at dshield.org'
> Subject: [Dshield] Nimda box reporting
> Question for the masses... (knowing this will probably kick
> up a lot of
> dust, ducking)
> Does anyone know of a centralized... anything... for getting word to
> compromised box administrators that their boxes are compromised? I'm
> specifically thinking Nimda, although it certainly isn't the
> only one to
> think about.
> It's easy enough to definitively determine whether a box
> scanning port 80 on
> your range is Nimda-infected, hit its IP in a web browser on
> a machine with
> decent real-time AV protection and bam, "I killed Nimda"
> dialog boxes start
> showing up. Presumably (hopefully) the box admin would want
> to fix this...
> if they knew.
> But getting word to that admin about a confirmed infection...
> Anyway, just a thought. Does any centralized notification
> thingamabob like
> this exist? Or is the upshot that folks don't pay attention
> when they get
> these kinds of notifications anyway?
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list