Re: nimda worm
On September 21, 2001 10:01 am, Bill Day wrote: Of course it is a problem but I closed IE before it could dl the file. I did let konquerer download the file, figured since it was linux it would be pretty much immune to it.. how ever the Java must be the culprit, allowing it to write to any writeable shares and aross open network connections(SAMBA for instance). I, cleaned before using LookOut so as to not infect the users on my address book.. This worm seems to ahve been well planned in that it propigates itself in almost every way imagineable.. Nimda uses java scripting. I have turned js off on my daughter's windows box. Filtering against *.exe files is also recommended. There is detailed info here, including a rundown on all the changes it makes to a system: http://www.cert.org/advisories/CA-2001-26.html -- burns ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: NIMDA worm: JavaScript
On September 22, 2001 11:31 pm, Tim Wunder wrote: Previously, Joel Hammer chose to write: I thought from all I had read about JavaScript that it was designed to be safe. I recall on another list someone said he had downloaded a malicious html doc and others on the list claimed that was impossible. This was a long time ago, like 8 months. Anyway, the following update is rather alarming: http://www.cert.org/advisories/CA-2001-26.html Even linux boxes are getting infected from their windows clients if they run samba. There was a fix posted on the samba mailing list. Joel Hi Joel, I didn't see anything in the advisory pertaining to Samba, was that something you just got from the samba list? The worm will also propagate through network shares. It isn't going to activate and infect a Linux client, but a linux client could 'share' it to other Windows boxes on the same network if they are unlucky enough to pull across that file. -- burns ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: NIMDA worm: JavaScript
On Sun, 23 Sep 2001 10:48:43 -0400 burns [EMAIL PROTECTED] wrote: The worm will also propagate through network shares. It isn't going to activate and infect a Linux client, but a linux client could 'share' it to other Windows boxes on the same network if they are unlucky enough to pull across that file. Does this thing work on it's own, or is it necessary to run an attachment or open a message with an attachment? -- Ken Moffat [EMAIL PROTECTED] ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: NIMDA worm: JavaScript
This does work on its own... I simply loaded the readme.eml and it contained the embedded mime readme.exe(which I never ran or found on linux system) but it does propagate thru network shares and to any writeable directories for the current user. so any samba shares and network connections to win clients file and printer sharing llows it to write easily to windows unsecure file and printsharing. As for the message on samba.orgs site its under announcements and says URGENT in bold black letters. I am finally clean of it after check ing for 2 days, no more loose *.eml files and btw, clear your cach folder if you have benn infected by viewing a site.. BTW Joel that was me and I had(note: had) java running on Konquerer, that was how I got infected. That was prolly the only reason that I was able to spread it to my winclients otherwise I likely would have been completely safe from it. HTH On Sunday 23 September 2001 10:19, you wrote: On Sun, 23 Sep 2001 10:48:43 -0400 burns [EMAIL PROTECTED] wrote: The worm will also propagate through network shares. It isn't going to activate and infect a Linux client, but a linux client could 'share' it to other Windows boxes on the same network if they are unlucky enough to pull across that file. Does this thing work on it's own, or is it necessary to run an attachment or open a message with an attachment? -- Bill Day A.K.A. BadMan RLU#188133 RLM#83358 http://counter.li.org irc.openprojects.net #linux-users Our crystal tears now fall upon the ashes, but from the dust shall grow a new spirit, to be in compassion for those who are lost, and one in determination to break those who dare test our resolve to be free... --- 7:30pm up 53 days, 9:45, 23 users, load average: 0.12, 0.18, 0.14 ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: NIMDA worm: JavaScript
Previously, Joel Hammer chose to write: I thought from all I had read about JavaScript that it was designed to be safe. I recall on another list someone said he had downloaded a malicious html doc and others on the list claimed that was impossible. This was a long time ago, like 8 months. Anyway, the following update is rather alarming: http://www.cert.org/advisories/CA-2001-26.html Even linux boxes are getting infected from their windows clients if they run samba. There was a fix posted on the samba mailing list. Joel Hi Joel, I didn't see anything in the advisory pertaining to Samba, was that something you just got from the samba list? Tim ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: NIMDA worm: JavaScript
Hi Joel, I didn't see anything in the advisory pertaining to Samba, was that something you just got from the samba list? There is mention that the infected clients will attempt to spread the worm: from client to client via open network shares This includes samba. I don't think there is any danger to linux boxes, but windows clients can get infected from the linux server. One guy (On the samba list?) says he visited a site and got hundreds of copies of the worm on his linux box. I tried that but only got one copy. Of course, I used opera, and I likely had javascript turned off, which is what CERT recommends. Not counting one day when I turned off logging (the first day), I have had 880 hosts attack me and have had 20,000 separate hits on my port 80 from this worm. This is the worst yet, methinks. Joel ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: nimda worm
I went to one of those sites with netscape. I downloaded one file (readme). Once, I got a TESTING message on my browser. Nothing else. Don't you think that using IE was the problem? Joel On Thu, Sep 20, 2001 at 06:15:48PM -0500, Bill Day wrote: Its not your fault, Im nosy 8) I did let it dl the .eml file but as to how I got all those and such was wierd.. They even migrated to samba shares(and winboxes) somehow. I visited one page (206.230.156.209) with I.E. and closed all open window imdeiately then trie dwith konquerer figured Id be safe. however i found (400 not 4000) on my linuxbox and exactly 198 on each winbox that was up at the time. both had infected load.exe in windows/system/ and then a *.eml in every folder on the box... truly wierd.. ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: nimda worm
Of course it is a problem but I closed IE before it could dl the file. I did let konquerer download the file, figured since it was linux it would be pretty much immune to it.. how ever the Java must be the culprit, allowing it to write to any writeable shares and aross open network connections(SAMBA for instance). I, cleaned before using LookOut so as to not infect the users on my address book.. This worm seems to ahve been well planned in that it propigates itself in almost every way imagineable.. On Thursday 20 September 2001 18:44, you wrote: I went to one of those sites with netscape. I downloaded one file (readme). Once, I got a TESTING message on my browser. Nothing else. Don't you think that using IE was the problem? Joel On Thu, Sep 20, 2001 at 06:15:48PM -0500, Bill Day wrote: Its not your fault, Im nosy 8) I did let it dl the .eml file but as to how I got all those and such was wierd.. They even migrated to samba shares(and winboxes) somehow. I visited one page (206.230.156.209) with I.E. and closed all open window imdeiately then trie dwith konquerer figured Id be safe. however i found (400 not 4000) on my linuxbox and exactly 198 on each winbox that was up at the time. both had infected load.exe in windows/system/ and then a *.eml in every folder on the box... truly wierd.. ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users -- Bill Day A.K.A. BadMan RLU#188133 RLM#83358 http://counter.li.org irc.openprojects.net #linux-users Our crystal tears now fall upon the ashes, but from the dust shall grow a new spirit, to be in compassion for those who are lost, and one in determination to break those who dare test our resolve to be free... --- 8:30am up 50 days, 22:45, 23 users, load average: 0.15, 0.18, 0.16 ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: nimda worm
Hell dont do it with any box.. I have been cleaning out *.eml and *.nws files for hours There were some 4000 eml files in just my home directory around 600 nws for a while I couldnt get my kde2 desktop to run.. i could log in it would load up then my screen would go blank.. dont know why.. something was trying to start kwrite and such so I logged in as root for a short time find all files *.eml *.nws and deleted them seem to be ok now... snip On Wednesday 19 September 2001 16:59, you wrote: Dont do this with a win box! Go here. read the page source. Note the javascript http://208.163.77.109 then get http://208.163.77.109/readme.eml is this what the virus does on its own or is this site setup to infect on purpose? -- Bill Day A.K.A. BadMan RLU#188133 RLM#83358 http://counter.li.org irc.openprojects.net #linux-users MicroShaft is the only company that introduces an OS that is worse than the one it replaces. --- 10:30am up 50 days, 45 min, 25 users, load average: 1.60, 1.17, 0.89 ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: nimda worm
Wow, sorry. I have not had that kind of trouble. I did find that Opera tried to DL the .eml file. Never had any .eml or .nws files grow on my box. I really dont understand how that many .eml and .nws files could get to your box unless it was some type of javascript problem where it looped for some reason. On Thursday 20 September 2001 10:54, Bill Day wrote: Hell dont do it with any box.. I have been cleaning out *.eml and *.nws files for hours There were some 4000 eml files in just my home directory around 600 nws for a while I couldnt get my kde2 desktop to run.. i could log in it would load up then my screen would go blank.. dont know why.. something was trying to start kwrite and such so I logged in as root for a short time find all files *.eml *.nws and deleted them seem to be ok now... snip On Wednesday 19 September 2001 16:59, you wrote: Dont do this with a win box! Go here. read the page source. Note the javascript http://208.163.77.109 then get http://208.163.77.109/readme.eml is this what the virus does on its own or is this site setup to infect on purpose? -- Ronnie == Life can be a dream; or it can be a nightmare it's all in your mind ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: nimda worm
Quoting Ronnie Gauthier [EMAIL PROTECTED]: Wow, sorry. I have not had that kind of trouble. I did find that Opera tried to DL the .eml file. Never had any .eml or .nws files grow on my box. I really dont understand how that many .eml and .nws files could get to your box unless it was some type of javascript problem where it looped for some reason. On Thursday 20 September 2001 10:54, Bill Day wrote: Hell dont do it with any box.. I have been cleaning out *.eml and *.nws files for hours There were some 4000 eml files in just my home directory around 600 nws I've not paid too much attention to this puppy and what I preys on. What happens if you hit this page with NS in Win? I did look at it, but with 'lynx' and all I say was the defacements and hacker drivel. -- Linux SxS [http://hal.humberc.on.ca/~mrcn0031/sxs/] ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: nimda worm
Its not your fault, Im nosy 8) I did let it dl the .eml file but as to how I got all those and such was wierd.. They even migrated to samba shares(and winboxes) somehow. I visited one page (206.230.156.209) with I.E. and closed all open window imdeiately then trie dwith konquerer figured Id be safe. however i found (400 not 4000) on my linuxbox and exactly 198 on each winbox that was up at the time. both had infected load.exe in windows/system/ and then a *.eml in every folder on the box... truly wierd.. On Thursday 20 September 2001 13:26, you wrote: Wow, sorry. I have not had that kind of trouble. I did find that Opera tried to DL the .eml file. Never had any .eml or .nws files grow on my box. I really dont understand how that many .eml and .nws files could get to your box unless it was some type of javascript problem where it looped for some reason. On Thursday 20 September 2001 10:54, Bill Day wrote: Hell dont do it with any box.. I have been cleaning out *.eml and *.nws files for hours There were some 4000 eml files in just my home directory around 600 nws for a while I couldnt get my kde2 desktop to run.. i could log in it would load up then my screen would go blank.. dont know why.. something was trying to start kwrite and such so I logged in as root for a short time find all files *.eml *.nws and deleted them seem to be ok now... snip On Wednesday 19 September 2001 16:59, you wrote: Dont do this with a win box! Go here. read the page source. Note the javascript http://208.163.77.109 then get http://208.163.77.109/readme.eml is this what the virus does on its own or is this site setup to infect on purpose? -- Bill Day A.K.A. BadMan RLU#188133 RLM#83358 http://counter.li.org irc.openprojects.net #linux-users MicroShaft is the only company that introduces an OS that is worse than the one it replaces. --- 5:30pm up 50 days, 7:45, 25 users, load average: 0.00, 0.01, 0.05 ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: nimda worm
On Wednesday 19 September 2001 17:59, Ronnie Gauthier babbled: is this what the virus does on its own or is this site setup to infect on purpose? the virus does this. neat trick actually.. -- Douglas J. Hunley ([EMAIL PROTECTED]) - Linux User #174778 Admin: http://hunley.homeip.net/Admin: http://linux.nf/ Brainbench Linux Administration Certified ~~ Now offering Linux admin services for the home user ~~ Miss Wormwood, could we arrange our seats in a little circle and have a little discussion? Specifically, I'd like to debate whether cannibalism ought to be grounds for leniency in murders since it is less wasteful. -- Calvin ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: nimda worm
yeah I went there ona winbox yesterday, it was the most common hit from nimda worm it opened a folder i immediately closed it dont really understand what its trying to do other than open a non resizeable window at 6000x6000... I wasa able to avoid being infected do to dialup since it takes so long to DL it, closed it before it gets downloaded hehe well using konquerer i went again and did the second one(since I have pine installed) it opened a console with a prepared email to myslef.witha bunch of crap in it... anyway.. onto the rest of my maill... On Wednesday 19 September 2001 16:59, you wrote: Dont do this with a win box! Go here. read the page source. Note the javascript http://208.163.77.109 then get http://208.163.77.109/readme.eml is this what the virus does on its own or is this site setup to infect on purpose? -- Bill Day A.K.A. BadMan RLU#188133 RLM#83358 http://counter.li.org irc.openprojects.net #linux-users MicroShaft is the only company that introduces an OS that is worse than the one it replaces. --- 7:30pm up 49 days, 9:31, 25 users, load average: 0.00, 0.00, 0.00 ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
Re: nimda worm
Well noticed a couple other things after I posted this(on linux, kde2.x and kmail) had an email for win 98 ping...eml opened it with adv txt editor didnt interest me so I deleted opened up kmail and noticed to new folders in it.. sam.eml and '01 it position a.eml... dont know where the hell they came from... On Wednesday 19 September 2001 20:08, you wrote: yeah I went there ona winbox yesterday, it was the most common hit from nimda worm it opened a folder i immediately closed it dont really understand what its trying to do other than open a non resizeable window at 6000x6000... I wasa able to avoid being infected do to dialup since it takes so long to DL it, closed it before it gets downloaded hehe well using konquerer i went again and did the second one(since I have pine installed) it opened a console with a prepared email to myslef.witha bunch of crap in it... anyway.. onto the rest of my maill... On Wednesday 19 September 2001 16:59, you wrote: Dont do this with a win box! Go here. read the page source. Note the javascript http://208.163.77.109 then get http://208.163.77.109/readme.eml is this what the virus does on its own or is this site setup to infect on purpose? -- Bill Day A.K.A. BadMan RLU#188133 RLM#83358 http://counter.li.org irc.openprojects.net #linux-users MicroShaft is the only company that introduces an OS that is worse than the one it replaces. --- 7:30pm up 49 days, 9:31, 25 users, load average: 0.00, 0.00, 0.00 ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc -http://linux.nf/mailman/listinfo/linux-users
