[Dshield] Something different in Apache logs

Johannes B. Ullrich jullrich at sans.org
Fri Mar 1 12:28:20 GMT 2002

Hash: SHA1

> > - - [27/Feb/2002:15:24:40 -0800] "GET /scripts/Admin.dll
> > HTTP/1.0" 404 295
> This looks like an attempt to put a trojan on your system and then run
> it. Bad stuff indeed. If you had cleaned out Nimda, but left behind the
> trojaned root.exe, well... Nimda would have reinfected you, but also
> this little devil would work and they'd have remote control of your
> machine.

I think this is just the newest manifestation of a trend to
take advantage of nimda infected machines. In essence,
Nimda's function was to roll several vulnerabilities (unicode,
tftp, browser issues) into one easy to exploit 'root.exe'.

Given how ubiquitous Nimda is, there is little point in exploiting
and of the prior vulnerabilities. It is much easier to go straight
for 'root.exe'. In particular, as people are starting to build DDOS
networks, they probably just go for root.exe, install their agent,
and even clean up a bit to protect their bot-net.

Instead of scanning blindly, these parasitic attacks could also use
target lists compiled by collecting IPs from Nimda infected hosts
scanning them.

Well, in short: Nimda and unpatched IIS machines are still a huge
problem. But maybe after the next big DDOS attack is launched 
using these machines, someone will smell the coffee (which I am 
doing right now at this time of the day) and find a way to shut
Nimda down. As an end user, there is not too much you can do about
this, other than patch your machines ... we are sending out reports
to ISPs about this, and maybe it is time for another big push. But
after so many months, I don't think it will be easy to reach the
remaining systems.

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the list mailing list