Vulnerability Development mailing list archives

RE: Publishing Nimda Logs

From: amonotod () netscape net (amonotod)
Date: Wed, 08 May 2002 10:06:28 -0400

-----Original Message-----
From: Silcock, Stephen [mailto:stephen_silcock () cleanaway com au]
Sent: Tuesday, May 07, 2002 9:35 PM

I think many people are underestimating the potential for damage these
machines hold...

<snip>

I now have as a result a list of about 2000 infected, and therefore
trivially exploitable hosts.  While some may be dynamic IP's and some may
not be as trivially exploitable as it seems; 2000 is a good ballpark 
figure.

I could; if I had the time and the inclination knock up a DDoS network
within the space of a day or two using that information - 2000 hosts is no
small number.

<snip>

The machines need to be cleaned and set up securely.  If the people 
running them can't do it they have no business having an internet 
connection; they're a liabiltiy to the rest of the internet community...


You know what would be really cool?  A worm that installed Linux and/or 
Apache on those machines, while keeping all the previous settings, such as 
the webroot, and publisher permissions, all that good stuff.  No, I didn't 
insinuate that it would be legal, not in the least, but it would be cool!

How about it?  Anyone out there care to knock together a script that'll 
pull IIS settings out of the registry, download and install Apache with the 
same settings, disable IIS, spend (since I've already pulled all this other 
crap out of my butt, lets see if we can find a number also) 24 hours 
scanning for other vulnerable hosts, and then restart the machine?  I think 
the only big challenge would be converting SSL settings, and maybe, 
ensuring the ASP files still work.  Although, isn't there a module for 
using ASP under Apache now?  

Hmmm... Whatever...

S.   :)


amonotod

-- 
  `\|||/                     amonotod@
   (@ @)                     netscape.net
ooO_(_)_Ooo______________________________
_____|_____|_____|_____|_____|_____|_____|



__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with 
Shop@Netscape! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

Current thread:

Re: Publishing Nimda Logs, (continued)
- Re: Publishing Nimda Logs zeno (May 08)
  - Re: Publishing Nimda Logs Raistlin (May 08)
- Fw: Publishing Nimda Logs Knud Erik Højgaard (May 08)
- RE: Publishing Nimda Logs Healy, S. S., CTM2 (May 08)
  - Re: Publishing Nimda Logs Knud Erik Højgaard (May 08)
  - is: greyhat virus was Re: Publishing Nimda Logs Matthew McGehrin (May 08)
  - Re: Publishing Nimda Logs Meritt James (May 08)
  - Re: Publishing Nimda Logs Jordan Frank (May 08)
    - Re: Publishing Nimda Logs Valdis . Kletnieks (May 09)
    - Re: Publishing Nimda Logs John Dow (May 09)
- RE: Publishing Nimda Logs amonotod (May 08)
  - RE: Publishing Nimda Logs Emre Yildirim (May 08)
  - RE: Publishing Nimda Logs .JanusAurelius (May 08)
- RE: Publishing Nimda Logs amonotod (May 09)
- RE: Publishing Nimda Logs Seymour, Keith (May 09)