NIMDA worm; MSIISProbes.pm
Hello, Now that Micro$oft has finally put out some information about their latest trick I have posted a new version of MSIISProbes.pm. Version 1.02 changes include putting the URL to a page containing info about each worm into a PerlSetVar ... this means that once you have configured MSIISProbes.pm with your e-mail and cacheing preferences, you can add traps for new worms as Micro$oft releases them, er, discovers them. Available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz More info at http://www.tonkinresolutions.com/MSIISProbes.pm.html Comments/flames welcome. - nick ~~~ Nick Tonkin
[OT] Re: Nimda worm
On Tue, Sep 18, 2001 at 04:07:59PM -0700, Nick Tonkin wrote: Heh, as Nat maybe saw the worm doesn't always request ?/c+dir, so until I can figure out a better way to identify it we'll have to go with cmd.exe|root.exe Here's a sample Nimda hit (courtesy of 'nc -l -p 80' -- try it yourself on a net-connected machine not already running a web server and just wait a few seconds): GET /scripts/root.exe?/c+dir HTTP/1.0 Host: www Connnection: close Note the Host: www header. You can trap this one by setting up a virtualhost called 'www'.
Re: NIMDA worm; MSIISProbes.pm
Nick Tonkin writes: Now that Micro$oft has finally put out some information about their latest trick I have posted a new version of MSIISProbes.pm. Version 1.02 changes include putting the URL to a page containing info about each worm into a PerlSetVar ... this means that once you have configured MSIISProbes.pm with your e-mail and cacheing preferences, you can add traps for new worms as Micro$oft releases them, er, discovers them. Available at http://www.tonkinresolutions.com/MSIISProbes.pm.tar.gz More info at http://www.tonkinresolutions.com/MSIISProbes.pm.html I was looking at your Apache::MSIISProbes module, and I didn't understand the part about the nimda rewrite rules, mostly because I haven't used the rewrite rules. Do the following rules RewriteCond %{REQUEST_URI} !nimda RewriteCond %{QUERY_STRING} /c.dir RewriteRule .* /nimda? [R,L] mean unless I've already rewritten the rule, if the query string matches c.dir (i.e., will match c+dir found in most of the requests), rewrite the request as /nimda? From my observation, nimbda also tries c+tftp and tries to get /scripts/Admin.dll, /c/Admin.dll, /d/Admin.dll and /MSADC/Admin.dll. Could I change the rewrite rules to RewriteCond %{REQUEST_URI} !nimda RewriteCond %{QUERY_STRING} /c.(tftp|dir) RewriteRule .* /nimda? [R,L] to catch either request, and then do RewriteCond %{REQUEST_URI} /(scripts|MSADC|c|d)/Admin.dll RewriteRule .* /nimda? [R,L] to catch the others? Thanks.
Re: NIMDA worm; MSIISProbes.pm
On Wed, 19 Sep 2001, Bruce Albrecht wrote: I was looking at your Apache::MSIISProbes module, and I didn't understand the part about the nimda rewrite rules, mostly because I haven't used the rewrite rules. Do the following rules RewriteCond %{REQUEST_URI} !nimda RewriteCond %{QUERY_STRING} /c.dir RewriteRule .* /nimda? [R,L] mean unless I've already rewritten the rule, if the query string matches c.dir (i.e., will match c+dir found in most of the requests), rewrite the request as /nimda? right. From my observation, nimbda also tries c+tftp and tries to get /scripts/Admin.dll, /c/Admin.dll, /d/Admin.dll and /MSADC/Admin.dll. Could I change the rewrite rules to RewriteCond %{REQUEST_URI} !nimda RewriteCond %{QUERY_STRING} /c.(tftp|dir) RewriteRule .* /nimda? [R,L] to catch either request, and then do RewriteCond %{REQUEST_URI} /(scripts|MSADC|c|d)/Admin.dll RewriteRule .* /nimda? [R,L] to catch the others? Well, the rules you put forward seem fine, but I'm not sure you'll catch everything ... BTW the '?' on the end is to remove the query string ... if you leave it off mod_rewrite puts the original one back. - nick
Nimda worm
Heh, as Nat maybe saw the worm doesn't always request ?/c+dir, so until I can figure out a better way to identify it we'll have to go with cmd.exe|root.exe so my httpd.conf is now: Location /default.ida SetHandler perl-script PerlHandler Apache::MSIISProbes PerlSetVar worm_name CodeRed /Location LocationMatch (cmd.exe|root.exe) SetHandler perl-script PerlHandler Apache::MSIISProbes PerlSetVar worm_name Nimda /LocationMatch ~~~ Nick Tonkin