[Dshield] Nimda box reporting
tliston at premmag.com
Fri Aug 9 16:04:29 GMT 2002
CodeRedneck is not the name for such a script.
CodeRedneck is the name of a program that I wrote which was an early
version of LaBrea.
Since I've got your attention, I'll throw in my $0.02. I would
STRONGLY advise against the use of such a script. You are, in a
legal sense, attacking machines by exploiting a vulnerability.
Regardless of your intent, running such a script is a very dangerous
thing to do.
On 8 Aug 2002 at 15:57, Lane Weast wrote:
> google around for a nimda response script.
> Someone has a script that uses the same vilnerability that allowed the
> server to be infected with Nimda in the first place to create a popup
> message on the server that it is infected.
> As I remember it, it was a php script that listened on port 80 for a request
> with the nimda signature and responded with an attack that utilized cmd "net
> send" to send a message to the server console demanding that the server be
> Code Redneck rings a bell but I can't find the script immediatly.
> > -----Original Message-----
> > From: Russell Washington [mailto:russ.washington at vaultsentry.com]
> > Sent: Thursday, August 08, 2002 1:52 PM
> > To: 'list at dshield.org'
> > Subject: [Dshield] Nimda box reporting
> > Question for the masses... (knowing this will probably kick
> > up a lot of
> > dust, ducking)
> > Does anyone know of a centralized... anything... for getting word to
> > compromised box administrators that their boxes are compromised? I'm
> > specifically thinking Nimda, although it certainly isn't the
> > only one to
> > think about.
> > It's easy enough to definitively determine whether a box
> > scanning port 80 on
> > your range is Nimda-infected, hit its IP in a web browser on
> > a machine with
> > decent real-time AV protection and bam, "I killed Nimda"
> > dialog boxes start
> > showing up. Presumably (hopefully) the box admin would want
> > to fix this...
> > if they knew.
> > But getting word to that admin about a confirmed infection...
> > tricky...
> > Anyway, just a thought. Does any centralized notification
> > thingamabob like
> > this exist? Or is the upshot that folks don't pay attention
> > when they get
> > these kinds of notifications anyway?
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Tom Liston, GSEC
Prem Magnetics, Inc.
tliston at premmag.com
tliston at hackbusters.net
More information about the list