I was thinking: maybe disabling the attacking machine is bad and would
make the situation worse. Although it seems that if the virus already
has control of the attacking machine, disabling it at some point would
be on the agenda anyway...
>
> Oops - has a bug: should be "return filter_return" at the end... -Jim
>
> >
> > Try installing this in your modules/tcl directory:
> >
> > # procedure to reflect nimda virus calls to (maybe) crash the attacker instead
> > ns_log notice "loading nimda.tcl"
> > ns_register_filter preauth GET /scripts/* nimda
> > proc nimda {conn ignore} {
> > set req [ns_conn request]
> > set reqlist [split $req " "]
> > set url [lindex $reqlist 1]
> > set host [ns_conn peeraddr]
> > ns_returnredirect http://$host$url
> > return
> > }
> > ns_log notice "nimda.tcl loaded"
> >
> > Also available at http://www.rubylane.com/public/nimda.tcl.txt
> >
> > It tells the attacker to attack himself. Not sure if it'll follow the
> > redirect, but it's worth a shot.
> >
> > Jim
> >
> > >
> > > And still more information is at
> > > http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert
> > >
> >
>
