'Nimda + apache'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Nimda + apache
From:       Matthew Groeninger <Matthew.Groeninger () REQUISITE ! COM>
Date:       2001-09-24 19:04:46
[Download RAW message or body]

The more I see of this bug, the more concerned I become.

This comes from a Windows NT machine running Apache+jakarta, which was
infected through a website (apparently twice).  At the bottom of this email
are the changes Nimba made to the apache.conf.  While the changes were not
effective (indeed, the service will not start, which is how the infection
was identified) I am concerned that a 78k worm has done this much overall
capability.  It is thorough in it's attack and thorough in it's infection.
It appeared well targeted at (primarily) corporate vulnerabilities, and very
capable of exploiting common administration deficiencies.

Has anyone found a good write up of the entire scope of this worm
(preferably with stack reference and specifics of the binary), such as
Eeye's write up of Code Red? (Keep up the good work, Marc)


Alias /new scanner specifications.eml
"C:/Tomcat/jakarta-tomcat-3.2.2/webapps/new scanner specifications.eml"
<Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/new scanner
specifications.eml">
    Options Indexes FollowSymLinks
</Directory>
ApJServMount /new scanner specifications.eml/servlet /new scanner
specifications.eml
<Location "/new scanner specifications.eml/WEB-INF/">
    AllowOverride None
    deny from all
</Location>
<Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/new scanner
specifications.eml/WEB-INF/">
    AllowOverride None
    deny from all
</Directory>
<Location "/new scanner specifications.eml/META-INF/">
    AllowOverride None
    deny from all
</Location>
<Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/new scanner
specifications.eml/META-INF/">
    AllowOverride None
    deny from all
</Directory>

Alias /requisite logo short.eml
"C:/Tomcat/jakarta-tomcat-3.2.2/webapps/requisite logo short.eml"
<Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/logo short.eml">
    Options Indexes FollowSymLinks
</Directory>
ApJServMount /logo short.eml/servlet /logo short.eml
<Location "/logo short.eml/WEB-INF/">
    AllowOverride None
    deny from all
</Location>
<Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/logo short.eml/WEB-INF/">
    AllowOverride None
    deny from all
</Directory>
<Location "/logo short.eml/META-INF/">
    AllowOverride None
    deny from all
</Location>
<Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/logo
short.eml/META-INF/">
    AllowOverride None
    deny from all
</Directory>

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.ant
ivirus.com/smex2000_rebate

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic