Re: Nimda + apache

• Previous message: Alan Claver: "Re: Symantec Security Response SecBul-10042001, Revision1, Malfor med Microsoft Excel or PowerPoint documents bypass Microsoft macro securi ty features"
• In reply to: Matthew Groeninger: "Nimda + apache"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID:  <005601c150d8$144af7e0$da02a8c0@salmark.net>
Date:         Tue, 9 Oct 2001 16:35:47 +0100
From: Peter Bowyer <peter@UNICA.CO.UK>
Subject:      Re: Nimda + apache
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I think you'll find that the bit at the bottom of your apache .conf file was
auto-generated from your Tomcat implemntation, based on files it finds in
your Tomcat webapps directory. Your webapps directory has some .eml files,
so Tomcat auto-generates the Apache conf to go with it.

So the infection was no more serious than the standard littering of .eml
files everywhere.

Peter

----- Original Message -----
From: "Matthew Groeninger" <Matthew.Groeninger@REQUISITE.COM>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Monday, September 24, 2001 8:04 PM
Subject: Nimda + apache

> The more I see of this bug, the more concerned I become.
>
> This comes from a Windows NT machine running Apache+jakarta, which was
> infected through a website (apparently twice). At the bottom of this
email
> are the changes Nimba made to the apache.conf. While the changes were not
> effective (indeed, the service will not start, which is how the infection
> was identified) I am concerned that a 78k worm has done this much overall
> capability. It is thorough in it's attack and thorough in it's infection.
> It appeared well targeted at (primarily) corporate vulnerabilities, and
very
> capable of exploiting common administration deficiencies.
>
> Has anyone found a good write up of the entire scope of this worm
> (preferably with stack reference and specifics of the binary), such as
> Eeye's write up of Code Red? (Keep up the good work, Marc)
>
>
> Alias /new scanner specifications.eml
> "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/new scanner specifications.eml"
> <Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/new scanner
> specifications.eml">
> Options Indexes FollowSymLinks
> </Directory>
> ApJServMount /new scanner specifications.eml/servlet /new scanner
> specifications.eml
> <Location "/new scanner specifications.eml/WEB-INF/">
> AllowOverride None
> deny from all
> </Location>
> <Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/new scanner
> specifications.eml/WEB-INF/">
> AllowOverride None
> deny from all
> </Directory>
> <Location "/new scanner specifications.eml/META-INF/">
> AllowOverride None
> deny from all
> </Location>
> <Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/new scanner
> specifications.eml/META-INF/">
> AllowOverride None
> deny from all
> </Directory>
>
> Alias /requisite logo short.eml
> "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/requisite logo short.eml"
> <Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/logo short.eml">
> Options Indexes FollowSymLinks
> </Directory>
> ApJServMount /logo short.eml/servlet /logo short.eml
> <Location "/logo short.eml/WEB-INF/">
> AllowOverride None
> deny from all
> </Location>
> <Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/logo
short.eml/WEB-INF/">
> AllowOverride None
> deny from all
> </Directory>
> <Location "/logo short.eml/META-INF/">
> AllowOverride None
> deny from all
> </Location>
> <Directory "C:/Tomcat/jakarta-tomcat-3.2.2/webapps/logo
> short.eml/META-INF/">
> AllowOverride None
> deny from all
> </Directory>
>
>
============================================================================
> Delivery co-sponsored by Trend Micro, Inc.
>
============================================================================
> BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
> Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
> Microsoft Exchange 2000 between October 1 and November 16. ScanMail
> ensures 100% scanning of inbound and outbound traffic and provides
> remote software management. For program details or to download your
> 30-day FREE evaluation copy:
>
http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.a
nt
> ivirus.com/smex2000_rebate
>

• Previous message: Alan Claver: "Re: Symantec Security Response SecBul-10042001, Revision1, Malfor med Microsoft Excel or PowerPoint documents bypass Microsoft macro securi ty features"
• In reply to: Matthew Groeninger: "Nimda + apache"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Nimda + apache ... It is thorough in it's attack and thorough in it's infection. ... ApJServMount /new scanner specifications.eml/servlet /new scanner ... AllowOverride None ... deny from all ... (NT-Bugtraq) BUG IN APACHE HTTPD SERVER (current version 2.0.47) ... How to return files in a Apache Deny All directory. ... Apache Web Server allows manage configurations via the main ... the configuration comparing between two config ... (Bugtraq) Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) ... >How to return files in a Apache Deny All directory. ... The server administrator further ... the configuration comparing between two config ... (Bugtraq) Re: Apache issue ... > upgrading to a new version of Apache (I configured only the new httpd.conf ... I'm bypassing all of them (.htaccess and ip list specification). ... Deny as default from all, ... (Focus-Linux) RE: Apache issue ... AllowOverride All ... Open Systems Technology - Information Technology Services ... Subject: Apache issue ... I've copied the configuration ... (Focus-Linux)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint