[Dshield] Nimda box reporting

Lane Weast lweast at leeclerk.org
Thu Aug 8 19:57:11 GMT 2002

google around for a nimda response script.
Someone has a script that uses the same vilnerability that allowed the
server to be infected with Nimda in the first place to create a popup
message on the server that it is infected.
As I remember it, it was a php script that listened on port 80 for a request
with the nimda signature and responded with an attack that utilized cmd "net
send" to send a message to the server console demanding that the server be
Code Redneck rings a bell but I can't find the script immediatly.

> -----Original Message-----
> From: Russell Washington [mailto:russ.washington at vaultsentry.com]
> Sent: Thursday, August 08, 2002 1:52 PM
> To: 'list at dshield.org'
> Subject: [Dshield] Nimda box reporting
> Question for the masses... (knowing this will probably kick 
> up a lot of
> dust, ducking)
> Does anyone know of a centralized... anything... for getting word to
> compromised box administrators that their boxes are compromised?  I'm
> specifically thinking Nimda, although it certainly isn't the 
> only one to
> think about.
> It's easy enough to definitively determine whether a box 
> scanning port 80 on
> your range is Nimda-infected, hit its IP in a web browser on 
> a machine with
> decent real-time AV protection and bam, "I killed Nimda" 
> dialog boxes start
> showing up.  Presumably (hopefully) the box admin would want 
> to fix this...
> if they knew.
> But getting word to that admin about a confirmed infection... 
> tricky...
> Anyway, just a thought.  Does any centralized notification 
> thingamabob like
> this exist?  Or is the upshot that folks don't pay attention 
> when they get
> these kinds of notifications anyway?
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list