[Debian] nimda auf auf Linux ??

To: Deutsche Debian Mailingliste <debian-user-de@lehmanns.de>
Subject: [Debian] nimda auf auf Linux ??
From: Markus Hubig <lord.aragon@gmx.net>
Date: Wed, 19 Sep 2001 17:22:03 +0200
Message-id: <[🔎] 20010919172203.A30440@hubig.yi.org>
Mail-followup-to: Deutsche Debian Mailingliste <debian-user-de@lehmanns.de>

Hallo *,

Momantan geistert ja wider so ein neuer Internet-Wurm namens "nimda"
durch die Netze. Alles was ich ueber diesen Wurm gelesen habe besagt
aber dass es _NUR_ WinXX(XX)? Rechner angreift ... !!

Jetzt habe ich mal mein Apache-Log gecheckt und folgendes entdeckt:

| 217.17.225.197 - - [19/Sep/2001:16:50:17 +0200] "GET
| /scripts/root.exe?/c+dir HTTP/1.0" 404 285 "-" "-"
| 217.17.225.197 - - [19/Sep/2001:16:50:19 +0200] "GET
| /MSADC/root.exe?/c+dir HTTP/1.0" 404 283 "-" "-"
| 217.17.225.197 - - [19/Sep/2001:16:50:21 +0200] "GET
| /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 "-" "-"
| 217.17.225.197 - - [19/Sep/2001:16:50:26 +0200] "GET
| /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 "-" "-"
| 217.17.225.197 - - [19/Sep/2001:16:50:38 +0200] "GET
| /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-"
| "-"
| 217.17.225.197 - - [19/Sep/2001:16:50:40 +0200] "GET
| /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
| HTTP/1.0" 404 324 "-" "-"
| 217.17.225.197 - - [19/Sep/2001:16:50:42 +0200] "GET
| /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
| HTTP/1.0" 404 324 "-" "-"
| 217.17.225.197 - - [19/Sep/2001:16:50:44 +0200] "GET
| /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
| HTTP/1.0" 404 340 "-" "-"
| 217.17.225.197 - - [19/Sep/2001:16:50:46 +0200] "GET
| /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
| "-" "-"
| 217.17.225.197 - - [19/Sep/2001:16:50:51 +0200] "GET
| /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
| "-" "-"
| 217.17.225.197 - - [19/Sep/2001:16:50:54 +0200] "GET
| /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
| "-" "-"

OK, sieht nach einer nimba Atacke aus ... also mal meinen nmap drauf
loslassen ... nur so auf Neugierde #8-):

| thoregon:~# nmap -v -sS -sR -O 217.17.225.197
| 
| Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
| Host  (217.17.225.197) appears to be up ... good.
| Initiating SYN Stealth Scan against  (217.17.225.197)
| Adding open port 25/tcp
| Adding open port 1002/tcp
| Adding open port 1723/tcp
| Adding open port 80/tcp
| Adding open port 135/tcp
| Adding open port 443/tcp
| Adding open port 139/tcp
| Adding open port 2043/tcp
| Adding open port 8007/tcp
| Adding open port 8080/tcp
| The SYN Stealth Scan took 221 seconds to scan 1548 ports.
| Initiating RPCGrind Scan against  (217.17.225.197)
| The RPCGrind Scan took 35 seconds to scan 1548 ports.
| For OSScan assuming that port 25 is open and port 1 is closed and 
| neither are firewalled
| For OSScan assuming that port 25 is open and port 1 is closed and 
| neither are firewalled
| For OSScan assuming that port 25 is open and port 1 is closed and 
| neither are firewalled
| Interesting ports on  (217.17.225.197):
| (The 1538 ports scanned but not shown below are in state: closed)
| Port       State       Service (RPC)
| 25/tcp     open        smtp
| 80/tcp     open        http
| 135/tcp    open        loc-srv
| 139/tcp    open        netbios-ssn
| 443/tcp    open        https
| 1002/tcp   open        unknown
| 1723/tcp   open        pptp
| 2043/tcp   open        isis-bcast
| 8007/tcp   open        jserv
| 8080/tcp   open        http-proxy
| 
| No exact OS matches for host (If you know what OS is running on it, 
| see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
|
| TCP/IP fingerprint:
| SInfo(V=2.54BETA28%P=i586-pc-linux-gnu%D=9/19%Time=3BA8B2BC%O=25%C=1)
                       ^^^^^^^^^^^^^^^^^
| TSeq(Class=RI%gcd=1%SI=4DB4C%TS=U)
| TSeq(Class=RI%gcd=1%SI=E24DC%IPID=RD%TS=U)
| TSeq(Class=RI%gcd=1%SI=72C08%TS=U)
| T1(Resp=Y%DF=Y%W=2238%ACK=S++%Flags=AS%Ops=M)
| T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
| T3(Resp=Y%DF=Y%W=2238%ACK=S++%Flags=AS%Ops=M)
| T4(Resp=N)
| T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
| T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
| T5(Resp=N)
| T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
| T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
| PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
| PU(Resp=N)
| PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
|  
| TCP Sequence Prediction: Class=random positive increments
|                          Difficulty=470024 (Good luck!)
| IPID Sequence Generation: Busy server or unknown class
| 
| Nmap run completed -- 1 IP address (1 host up) scanned in 294 seconds

Scheint ein Linux-Rechner zu sein!! Oder interpretiere ich da was
falsch?? 

Koennte es sein dass die "nimda"-Attacke von nem Rechner stammte der 
hinter diesen Linux-Rechner steht und per masquerading oder proxy
aggiert??

	Gruss Markus

-- 
[ markus hubig    ] [ mail: mhubig@web.de    ] [ debian/gnu linux 2.3 sid ]
[ vorholzstraße 6 ] [ icq:  98188685	     ] [ linux 2.4.9 i686	  ]
[ 76131 karlsruhe ] [ tele: +049 721 6657522 ] [ reg. Linux user #204961  ]

Attachment: pgpL5MSPoToxZ.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: nimda auf auf Linux ??
  - From: Daniel Bayer <daniel.bayer@stud.uni-rostock.de>
- Re: nimda auf auf Linux ??
  - From: Janto Trappe <list@sylence.de>

Prev by Date: Re: Dummy deb Packet erzeugen
Next by Date: Re: [Debian] kde zeigt nur wenige Fonts an
Previous by thread: Re: [Debian] kde zeigt nur wenige Fonts an
Next by thread: Re: nimda auf auf Linux ??
Index(es):
- Date
- Thread