Security Incidents mailing list archives
Re: Tracking down the still infected hosts
From: "Dale Lancaster" <dale () lancaster hm>
Date: Tue, 25 Sep 2001 16:34:37 -0400
A Redirect permanent directive seems to have done it for our site. Nimda traffic has gone way down. A standard "redirect", considered temporary, would probably not do it. However I am seeing new log entries that I haven't seen before: [Tue Sep 25 16:33:41 2001] [error] [client 199.26.11.171] File does not exist: /some/where/html/_vti_bin/shtml.exe/_vti_rpc It may just be some misconfiguration in our site, but the shtml.exe seems to point to something else since we don't use .exe stuff on our site. These are flooding my site, but we get lots of them over a day. dml ----- Original Message ----- From: "Kyle R. Hofmann" <krh () lemniscate net> To: <incidents () securityfocus com> Sent: Tuesday, September 25, 2001 3:28 PM Subject: Re: Tracking down the still infected hosts
On Tue, 25 Sep 2001 11:24:49 -0500, Tina Bird wrote:According to Ryan Russell (who's been analyzing the worm code), Nimda doesn't honor redirects - it just checks the response it gets from a Web server to determine whether or not the server is vulnerable. It doesn't follow redirects. So what does this actually accomplish?Actually, I'm not sure it accomplishes anything. I read the post saying
that
redirecting Nimda to 127.0.0.1 killed it or slowed it down, and I wrote
and
posted my redirection tool before I spent a lot of time watching Nimda's reaction to it. Now that I've let it run overnight, I'm convinced that it doesn't do any good. Nimda traffic on my machine has actually gone up, because now it doesn't stop--it just keeps pounding on me, gleefully
ignorning
the redirects. I've gotten about 1.44 HTTP connections per minute in the past six hours, primarily from two persistent machines, whereas yesterday, before I had written my tool, I got about 0.391 connections per minute
spread
out among a half-dozen or so machines. Since none of this is legitimate traffic (my machine hasn't run a web server in half a year), for machines that don't run web servers it's clearly less effective to send redirects
than
to simply refuse connections. I suspect that the same is true for web servers, as well. -- Kyle R. Hofmann <krh () lemniscate net> --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Tracking down the still infected hosts Darren Windham (Sep 24)
- Re: Tracking down the still infected hosts Mike Lewinski (Sep 24)
- <Possible follow-ups>
- RE: Tracking down the still infected hosts Martinez, Simon (Sep 24)
- RE: Tracking down the still infected hosts Fulton L. Preston Jr. (Sep 24)
- RE: Tracking down the still infected hosts Ryan McDonnell (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Tina Bird (Sep 25)
- Re: Tracking down the still infected hosts Skip Carter (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Dale Lancaster (Sep 25)
- Re: Tracking down the still infected hosts Duncan Hill (Sep 25)
- Re: Tracking down the still infected hosts Josh Burroughs (Sep 25)
- Message not available
- Re: Tracking down the still infected hosts Nicole Haywood (Sep 25)
- Re: Tracking down the still infected hosts Ryan Russell (Sep 25)