On Thu, Jan 30, 2003 at 12:19:42PM -0800, Carrie Lee wrote: > Within a few hours of running a nessus scan on a host, the host became > infected with some viruses associated with the vulnerabilities found by > nessus. Specifically, when I ran the scan, it said that the host was > infected with Code Red, although it wasn't a few hours before the scan.
If you look at, say, CERT advisory CA-2001-19 -- <http://www.cert.org/advisories/CA-2001-19.html> -- you will find information about how Code Red spreads as well as the telltale footprint (starts with "/default.ida?NNN") it leaves in a web server's logs. With that knowledge, you can then examine the logs on your host and pinpoint when and from where the infection took place. When you do, I suspect you'll find the source was one of the myriad hosts on the 'net that have been spewing Code Red and/or Nimda for over a year. Various web sites I host routinely get hit by infection attempts several times a week. > About 6 hours later, the system became infected with a bunch of other > viruses that exploit the found IIS vulnerabilities. Was IIS recently set up on that host or was inbound web traffic from the net recently allowed to it? Or to some other host on your network? > I would like to > find out if some of the plugins are not benign or even malicious. Some plugins may cause damage and Nessus is I believe careful to let you know when you've enabled any of those. The Code Red plugin, though, is not. George -- [EMAIL PROTECTED]
msg03407/pgp00000.pgp
Description: PGP signature
