Re: nimda probes

To: debian-user@lists.debian.org
Subject: Re: nimda probes
From: cswingle@iarc.uaf.edu (Christopher S. Swingley)
Date: Thu, 20 Sep 2001 14:14:38 -0800
Message-id: <[🔎] 20010920141438.A2417@iarc.uaf.edu>
Mail-followup-to: cswingle@iarc.uaf.edu, debian-user@lists.debian.org
In-reply-to: <[🔎] 20010921072445.A9455@sammo.gnubies.com>
References: <[🔎] 20010920165523.A7663@sammo.gnubies.com> <[🔎] 007b01c141f0$2a38b340$0464b10a@orthogony.net> <[🔎] 20010921072445.A9455@sammo.gnubies.com>

> Looking at my logs, it seems to work:
> 
> GET /cmd.dll HTTP/1.0" 302
> 
> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302

Yeah, but just because your Apache sends a 302 code back to
the Nimda box doesn't mean it will use this information and hit
www.microsoft.com.  If you redirected it to another one of your own
boxes and watched this happen (302 on the Redirect box, 404 on your
second box, from the same IP) I'd believe it.

Even better, check out

    http://www.incidents.org/LaBrea/

It's a utility that pretends to be unused IP addresses, and when a
scanner hits one of these addresses the daemon holds the connection
open permanently.

Chris
-- 
Christopher S. Swingley             phone: 907-474-2689
Computer / Network Manager          email: cswingle@iarc.uaf.edu
IARC -- Frontier Program            GPG and PGP keys at my web page:
University of Alaska Fairbanks      www.frontier.iarc.uaf.edu/~cswingle

 "They that can give up essential liberty to obtain a little temporary 
  safety deserve neither liberty nor safety."  -- Ben Franklin

Attachment: pgpbOAv8sQ4HZ.pgp
Description: PGP signature

Reply to:

References:
- nimda probes
  - From: Sam Varghese <sam@gnubies.com>
- Re: nimda probes
  - From: "Greg Wiley" <greg@orthogony.com>
- Re: nimda probes
  - From: Sam Varghese <sam@gnubies.com>

Prev by Date: Re: nimda probes
Next by Date: Re: offtopic: which text language to use?
Previous by thread: Re: nimda probes
Next by thread: Re: nimda probes
Index(es):
- Date
- Thread