[42693] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Nimda Worm

daemon@ATHENA.MIT.EDU (Mike Jackson)
Tue Sep 18 23:31:29 2001

From: Mike Jackson <mhjack@tscnet.com>
To: nanog@merit.edu
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: 18 Sep 2001 14:52:09 -0700
Message-Id: <1000849929.10223.15.camel@tribble>
Mime-Version: 1.0
Errors-To: owner-nanog-outgoing@merit.edu

One of the spread methods has to do with retrieving a file called
"readme.eml" from the infected web servers.  Adding this to my Cisco
HBAR code red config seems to at least keep my customers from becoming
infected using that method.

class-map match-any http-hacks
  .. code red stuff..
   match protocol http url "*readme.eml"

Can anyone confirm exactly what filenames the email spread version uses?

-- 

Mike Jackson <mhjack@tscnet.com>
Vice-President
TSCNet, Inc.

Phone: 360-308-0205
Fax: 360-698-7789
http://www.tscnet.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[42693] in North American Network Operators' Group

Nimda Worm

daemon@ATHENA.MIT.EDU (Mike Jackson)Tue Sep 18 23:31:29 2001

daemon@ATHENA.MIT.EDU (Mike Jackson)
Tue Sep 18 23:31:29 2001