[Dshield] Look at this Nitwit

Rick Klinge rick at jaray.net
Thu Jan 29 03:18:12 GMT 2004


What about this:

<%
'Get the entire URL requested
 myRequest=Request.ServerVariables("QUERY_STRING")

'A list of filenames Nimda looks for
 myBadList="cmd.exe,root.exe,admin.dll,default.ida"

'Detect a GET request from the Nimda virus and take appropriate action

arrBadString=Split(myBadList,",")
 for i=0 to UBound(arrBadString)
 if inStr(myRequest,arrBadString(i))>0 then
 'turn offending server back on itself
 Response.redirect "http://127.0.0.1"
 end if
 next
%>

Guess it doesn't go through.. Perhaps it works to well?

~Rick

> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of Keith Bergen
> Sent: Wednesday, January 28, 2004 5:13 PM
> To: 'General DShield Discussion List'
> Subject: RE: [Dshield] Look at this Nitwit
> 
> 
> There was some talk on this list about putting a fake 
> default.ida file out there. I can't remember exactly what the 
> consensus was (if there was one). Check through the archives, 
> I remember quite a lot of discussions on the code red and 
> nimda viruses.
> 
> It would seem to me that a zero-byte default.ida would take 
> less outgoing bandwidth than a URL 404 message, but I may be 
> over-simplifying it.
> 
> Keith. 
> 
> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of > David Hart
> 
> Sent: Wednesday, January 28, 2004 5:41 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Look at this Nitwit
> 
> 
> On Wed, 2004-01-28 at 16:50, Keith Bergen wrote:
> > Yes. That is a Windows IIS server that is infected with the Nimda 
> > virus and trying to propagate it to your box. There's 
> probably not a 
> > lot you can do about it apart from sending an email to his provider 
> > with the logs. . . .
> 
> Thanks
> 
> How do you feel about a zero-byte default.ida? It saves some 
> cycles. any downside?
> > 
> 
>                                ---------
>             Quality Management - A Commitment to Excellence
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 
> ___________________________________________________________________
> Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
> 
> 

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list