[Dshield] IIS Logs

Rich Kittell richard at quarky.org
Fri Mar 29 18:59:23 GMT 2002


Erick,

As far as technique for getting the console message to pop-up, you might want to have a look at http://www.dynwebdev.com/codered for "Code-Red Vigilante". It is a Java sourced "web server" that recognizes the Code-Red signature and puts up a message on the infected server's console. As I recall, "Crazy Bob" had to fiddle with getting the console message to work more often than not, so you may be able to leverage what he learned.

Richard

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Erick Brockway
Sent: 2002/03/29 09:27
To: list at dshield.org
Subject: RE: [Dshield] IIS Logs


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Oops, and occasionally I mess up and mis-configure my default email
and send from the wrong account (sorry Johannes).
	Also to be clear, it wouldn't break my heart if the script did shut
down the IIS machine infected by the trojan, but simply shutting it
down would be useless. It would be simply be restarted eventually and
chkdisk would run, and the trojan would be back up probing.
	I've found with the machine that's infected it's possible to send a
console message which remains on the screen until the user hits the
OK button. After the perl script triggers the firewall alert, I fire
off a short message directing the user to ZoneAlarm, trojan remover
and NAI.com. I'd like to automate this, and I'm trying
(unsuccessfully so far) to get the script to send a console message.
May be over my head at this point in time though.


- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf
Of
Forum Admin
Sent: Thursday, March 28, 2002 10:57 PM
To: list at dshield.org
Subject: RE: [Dshield] IIS Logs


 
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Well, I've been running a perl "StrikeBack" script on my Apache
server for a little over a month. Although I've yet to see it shut
down an infected machine, it DOES trigger a firewall rule rather
nicely whenever Perl.exe accesses the internet in response to a code
red or nimda probe. I'm working on a way to have it post a console
message to the infected computer, which would remain on the victim's
screen until they hit OK. Been sending them manually so far, and in
only one case has it failed to get the user's attention. Haven't had
but one repeat scan.



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPKSV0JkmeTuuwg2cEQLX3wCg0cmtsAvavXU235rK08bSEa9VnlkAoPvq
6sq2p2ojbqpj0KWWKEcJgUzl
=UFSF
-----END PGP SIGNATURE-----

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list