[Dshield] Nimda box reporting

Tom Liston tliston at premmag.com
Fri Aug 9 16:04:29 GMT 2002


CodeRedneck is not the name for such a script.

CodeRedneck is the name of a program that I wrote which was an early 
version of LaBrea.

Since I've got your attention, I'll throw in my $0.02.  I would 
STRONGLY advise against the use of such a script.  You are, in a 
legal sense, attacking machines by exploiting a vulnerability.  
Regardless of your intent, running such a script is a very dangerous 
thing to do.

-TL

On 8 Aug 2002 at 15:57, Lane Weast wrote:

> google around for a nimda response script.
> Someone has a script that uses the same vilnerability that allowed the
> server to be infected with Nimda in the first place to create a popup
> message on the server that it is infected.
> As I remember it, it was a php script that listened on port 80 for a request
> with the nimda signature and responded with an attack that utilized cmd "net
> send" to send a message to the server console demanding that the server be
> fixed.
> Code Redneck rings a bell but I can't find the script immediatly.
>   
> 
> 
> 
> > -----Original Message-----
> > From: Russell Washington [mailto:russ.washington at vaultsentry.com]
> > Sent: Thursday, August 08, 2002 1:52 PM
> > To: 'list at dshield.org'
> > Subject: [Dshield] Nimda box reporting
> > 
> > 
> > Question for the masses... (knowing this will probably kick 
> > up a lot of
> > dust, ducking)
> > 
> > Does anyone know of a centralized... anything... for getting word to
> > compromised box administrators that their boxes are compromised?  I'm
> > specifically thinking Nimda, although it certainly isn't the 
> > only one to
> > think about.
> > 
> > It's easy enough to definitively determine whether a box 
> > scanning port 80 on
> > your range is Nimda-infected, hit its IP in a web browser on 
> > a machine with
> > decent real-time AV protection and bam, "I killed Nimda" 
> > dialog boxes start
> > showing up.  Presumably (hopefully) the box admin would want 
> > to fix this...
> > if they knew.
> > 
> > But getting word to that admin about a confirmed infection... 
> > tricky...
> > 
> > Anyway, just a thought.  Does any centralized notification 
> > thingamabob like
> > this exist?  Or is the upshot that folks don't pay attention 
> > when they get
> > these kinds of notifications anyway?
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: 
> > http://www.dshield.org/mailman/listinfo/list
> > 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


Tom Liston, GSEC
Network Administrator
Prem Magnetics, Inc.
tliston at premmag.com
tliston at hackbusters.net




More information about the list mailing list