RE: [IMail Forum] Boomerang/Judo code (was: Virus Attacks)

[jb]

I've seen the discussion about this script, can anyone tell me where I can find a copy?   John A. Burns -----Original Message----- From: Ron Hornbaker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 2:18 PM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Boomerang/Judo code (was: Virus Attacks) I totally agree, hence the little winky-face after that statement. I think we all can relate to the frustration of watching infected servers continue to drive our bandwidth through the roof with DoS attacks several days after public news of the problem and fix. Ron Hornbaker President/CTO   .  .  .  .  .  .  .  .  .  .  .  .  http://humankindsystems.com   .  .  .  .  .  .  .  .  .  .  .  .  w e  c o d e.  w e  c a r e. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Fletcher Sent: Tuesday, September 25, 2001 1:33 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Boomerang/Judo code (was: Virus Attacks) Maybe a better idea would be to stop a service or two (say, IIS?).  I can appreciate the sentiment, but I sure wouldn't want to have to tell someone that thier whole C: drive was wiped.   David Fletcher http://www.micro-prince.com ----- Original Message ----- From: Ron Hornbaker To: [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 12:16 PM Subject: RE: [IMail Forum] Boomerang/Judo code (was: Virus Attacks) That's our code, if anyone has any questions about it. I posted it to a couple of lists yesterday, after Len posted an Apache version and gave me the idea. Looks like it's made the rounds and had its owner's name stripped from it and it's name changed from 404Judo.asp, but otherwise it's good. Boomerang indeed.   Note that since you're turning the request back onto an infected server, the http GET should have access to its own cmd.exe file. You know, just in case you want to assist in their anti-viral efforts by re-formatting their C drive for them. ;) Please don't ask me how to do that. Ron Hornbaker President/CTO   .  .  .  .  .  .  .  .  .  .  .  .  http://humankindsystems.com   .  .  .  .  .  .  .  .  .  .  .  .  w e  c o d e.  w e  c a r e.   .  Come say Hi to us at ISPCON in Las Vegas, October 9-11, booth #3620!   .  http://www.ispcon.com/fall2001/attend-exhibitordetail.asp?X_ID=1792   .  http://AnswerTrack.com - eCRM email tracking solution   .  http://KillerWebMail.com - the name says it all   .  http://hksi.net/products - EZSignUp, You'veGotIMail!, etc...   .  http://hksi.net/testimonials - 1,666 admins can't be wrong -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Anderson Sent: Tuesday, September 25, 2001 8:04 AM To: Imail; Tim Subject: Re: [IMail Forum] Virus Attacks Tim, A friend sent me this file snd said that it is a asp script that you can load on your IIS server and when a server tries to code red you it will send packets back to the server that is trying to attack you and after about 10 packets it shuts down there IIS services. I have not looked at it yet but came from a close friend. > --- Original Message --- > From: "Tim" <[EMAIL PROTECTED]> > To: "Imail" <[EMAIL PROTECTED]> > Date: Mon, 24 Sep 2001 20:52:55 -0500 > Subject: [IMail Forum] Virus Attacks > > Does anyone know of a utility that will automatically block those IIS > servers that constantly try to attack an Imail server to stop these constant > attempts to attack port 80? Has anyone written a script that will add them > to the kill file? I think this would be a great > script/software/enhancement!!!! > > 20010924 204806 Socket Error - 63.237.172.134 Error while writing sockect > due to error 10054 or malicious connection type. > 20010924 204806 Socket Error - 63.237.172.134 Error while writing sockect > due to error 10054 or malicious connection type. > 20010924 204806 Socket Error - 63.237.172.134 Error while writing sockect > due to error 10054 or malicious connection type. > 20010924 204807 Info - 63.237.172.134 GET /MSADC/root.exe?/c+dir HTTP/1.0. > > Anyone > > Tim D