Results 1 to 2 of 2

Thread: nmidia defense using *nix+apache

  1. #1
    Junior Member
    Join Date
    Jan 2002
    Posts
    25

    nmidia defense using *nix+apache

    Ok, I know you all are going to think I am crazy for posting this idea, but I don't really care

    What I am proposing is to use apache + *nix as a tool in the defense from nmidia virus.

    First lets look at the attack sequence from nmidia:

    xxx.xxx.xxx.xxx -- [date] "GET /scripts/root.exe?/c+dir HTTP/1.0"
    xxx.xxx.xxx.xxx -- [date] "GET /MSADC/root.exe?/c+dir HTTP/1.0"
    xxx.xxx.xxx.xxx -- [date] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
    xxx.xxx.xxx.xxx -- [date] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
    xxx.xxx.xxx.xxx -- [date] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
    xxx.xxx.xxx.xxx -- [date] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"

    And so on. using different hex values to obtain and execute cmd.exe

    Now we can do one of a few different things possible.

    One would be to create the directory structure that nmidia is looking for and adding it into httpd.conf as an alias.
    (we need this to be an executable directory)

    Or create a winnt file structure in a file and mounting it using the loopback device (not sure about this one)

    Now what we would do is build a script (perl anyone?) and name it cmd.exe then place it in the newly created file structure. (someone in antichat stated that cmd.exe is a windows executable, and this wouldn't be posible to "execute in *nix) Yes I know this, but so what, *nix really doesn't care about file extensions, all we want is to have nmidia "trigger" the script.

    Once the script has been "triggered" we could possibly do a couple of different things here.

    One would be to have "cmd.exe" scan the infected system for some form of a mail service and have it send a mail to
    the infected user notifying them of their nmidia problem.

    Or we can have "cmd.exe" do a reverse DNS lookup and split the hostname to obtain the "somehost.com" which will
    more than likely be an ISP and send a mail to abuse@somehost.com asking them to forward or notify the infected user.

    Well this is all just a thought i had in my caffine indused rants

    --Taboo
    --
    \"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity.\"
    Dennis Ritchie.

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    This same thing has been discussed quite thoroughly on both SecurityFocus' Bugtraq and Focus-MS mailing lists lately. I'd recommend signing up if you really want to keep on the up and up about what vulnerabilities have been discovered.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •