Right. So we have a 2 parter. Either we ignore the first 20 days and let it run, keep track of who is doing it, maybe a
"Is your company irresponsibly spreading this POS"? with a list or we do the "remove the wurm binary. But for the last third of the month we can still cut the bandwidth used and route the booger to /dev/null and make it go away for a bit. It may take a little to get the backboners to put the entries in but if it'll clean up the net a good bit for the DDoS mode, it's likely worth it. Thus spake Yvonne Kelly ([EMAIL PROTECTED]): > Yeah, except routing packets for that address to /dev/null > will only work during the last part of the month, when it's > in DDoS mode. For the first twenty days of the calendar > month, it's in propogation mode, spreading itself, and > that's what is clogging the bandwidth right now. > > Y.Kelly > > > > -----Original Message----- > From: Robert L. Harris [EMAIL PROTECTED] > Sent: Wed, 8 Aug 2001 12:09:07 -0600 > To: [EMAIL PROTECTED] > CC: [email protected], > [EMAIL PROTECTED] > Subject: Re: FW: Careful. This is for information only. > > > > > Agree with the ethics problem. I don't have many ethical > problems though > with overwriting a wurm binary from a machine we know is > hacked, it hit > me afterall. > > How about assigning that hardcoded IP to /dev/null. Have > the backbone > operators assign a static route to a dead interface on the > backbone routers > so it doesn't even try to go to the old network. > > > Yes the best patch would be if all the IIS boxes were > patched but it doesn't > appear to be working all that well. > > > Thus spake Yvonne Kelly ([EMAIL PROTECTED]): > > > Hi, > > > > 1. You still run into the ethics question of whether you > > should be tampering with other people's boxes yourself, > > even with good intentions. Even if it's just to run a > > script. > > > > 2a. We don't KNOW that it was Chinese in origin. Sure, > the > > defacement script reads "Hacked by Chinese," but anyone > > could have written that just to frame them. I've even > > heard theories that the worm was created by the CIA.... > > > > 2b. The DDoS target is actually a hardcoded IP address, > > not "www.whitehouse.gov" so there's no DNS involved. > That > > IP address used to be the White House's, but they've long > > since gotten that changed! > > > > Y.Kelly > > > > > > > > -----Original Message----- > > From: Robert L. Harris [EMAIL PROTECTED] > > Sent: Wed, 8 Aug 2001 11:35:16 -0600 > > To: [email protected] > > Subject: Re: FW: Careful. This is for information only. > > > > > > > > > > 2 thoughts. > > > > 1) Write a script that instead of shutting down the > system > > applies a hot-fix or shuts the wurm off, maybe a cron > type, > > at job that > > removes the files the wurm puts in place and then emails > > the admin > > with a "hey your box is hacked, fix it"... > > > > 2) My understanding is that this was made by some > chineese > > hacker > > ticked off about that spy plane garbage and is DDOS'ing > > whitehouse.gove. Being that we don't seem to be getting > > much help > > shutting this down since v2 is now out, lets change DNS > for > > a week > > and point Whitehouse.gov to china.gov or some such mess. > > > > > > Thus spake Nathan E Norman ([EMAIL PROTECTED]): > > > > > On Wed, Aug 08, 2001 at 08:36:53AM +0200, Sebastiaan > > wrote: > > > > How about this? [ "white" worm ] > > > > > > You're missing the point. > > > > > > No one here is saying you would be a bad person if you > > {shut > > > off/nuked/notified} a remote site that is already > > affected with the > > > worm du jour. > > > > > > What I'm trying to say (and John Hasler as well if I > may > > be > > > presumptuous) is that given the current state of > affairs > > legally, you > > > would be _unwise_ to set up your system in such a way > > that it did > > > something to another machine via some back door > > mechanism, even if > > > what you did was clearly beneficial. > > > > > > Many are saying "but that's stupid, it's sad that we > > can't help". > > > You are absolutely correct. The Internet was supposed > to > > be about > > > cooperation ... as far as I can see it's mostly a > > playground for > > > idiots and control freaks. > > > > > > If you want to figure out how to "stop" code red, go > > right ahead! > > > However, don't be surprised when some moron calls you > and > > wants to > > > know why you've "hacked" his system. You can't share > > wisdom with > > > fools, unfortunately. > > > > > > Cheers, > > > > > > -- > > > Nathan Norman - Staff Engineer | A good plan today is > > better > > > Micromuse Ltd. | than a perfect plan > > tomorrow. > > > mailto:[EMAIL PROTECTED] | -- Patton > > > > > > > > > > > > :wq! > > ---------------------------------------------------------- > -- > > --------------- > > Robert L. Harris | Micros~1 : > > Senior System Engineer | For when quality, > > reliability > > at RnD Consulting | and security just > > aren't > > \_ that important! > > DISCLAIMER: > > These are MY OPINIONS ALONE. I speak for no-one > else. > > FYI: > > perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)- > > 2),oct(115),10);' > > > > > > -- > > To UNSUBSCRIBE, email to debian-user- > > [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > > > > > ____________________________________________________________ > _______________ > > Visit http://www.visto.com. > > Find out how companies are linking mobile users to the > > enterprise with Visto. > > > > > > -- > > To UNSUBSCRIBE, email to debian-user- > [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > :wq! > ------------------------------------------------------------ > --------------- > Robert L. Harris | Micros~1 : > Senior System Engineer | For when quality, > reliability > at RnD Consulting | and security just > aren't > \_ that important! > DISCLAIMER: > These are MY OPINIONS ALONE. I speak for no-one else. > FYI: > perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)- > 2),oct(115),10);' > > > > > ___________________________________________________________________________ > Visit http://www.visto.com. > Find out how companies are linking mobile users to the > enterprise with Visto. :wq! --------------------------------------------------------------------------- Robert L. Harris | Micros~1 : Senior System Engineer | For when quality, reliability at RnD Consulting | and security just aren't \_ that important! DISCLAIMER: These are MY OPINIONS ALONE. I speak for no-one else. FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
