Security Incidents mailing list archives
Re: Concept Virus(CV) V.5 - Quick analysis update
From: "Michael H. Warfield" <mhw () wittsend com>
Date: Tue, 18 Sep 2001 21:46:19 -0400
On Tue, Sep 18, 2001 at 08:05:50PM -0400, Homer Wilson Smith wrote:
If any one has the proper entries in the apache 1.3.20 config file to block the gets to Admin.dll, root.exe and cmd.exe, I would appreciate knowing about them. Been playing with <FilesMatch> and <DirectoryMatch> but they only seem to work IF the directory path actually exists on the machine.
We are being swamped here.
Huh??? What are you trying to accomplish? If you don't have them, you are going to return an error and nothing you can configure in Apache will prevent the worm from requesting them. How, exactly, to do you propose to "block them"? The "mod_telpathy" module has not even made it to alpha test, so how are you going to detect and block the requests before they are made?
Homer
------------------------------------------------------------------------ Homer Wilson Smith Clean Air, Clear Water, Art Matrix - Lightlink (607) 277-0959 A Green Earth and Peace. Internet Access, Ithaca NY homer () lightlink com Is that too much to ask? http://www.lightlink.com
[...]
More infectation routes:
The worm, upon infecting a new host, goes through all the shared directories and their subdirecories and plants the following files in each dir:
sample.nws sample.eml desktop.eml desktop.nws
This is through network shares and drives. [...] Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Concept Virus(CV) V.5 - Advisory and Quick analysis Olle Segerdahl (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- Concept Virus(CV) V.5 - Quick analysis update Olle Segerdahl (Sep 18)
- A suggestion to Concept/Nimda analysts Stuart Staniford (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Brian Pomeroy (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Homer Wilson Smith (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Michael H. Warfield (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Jose Nazario (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Michael H. Warfield (Sep 18)
- <Possible follow-ups>
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Robert Nieuwhof (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Davis, Matt (Sep 19)