I was thinking a variation of this would be to track the ipaddress of my ISPs subnet and every night autodispatch an email to the support desk asking the ISP to contact those people affected by the virus... I wonder if it would have any effect? I wonder if this is something you could take up the with the Better Business Bureau? The downside of this is that the ISP will shutdown access to all lower ports like ftp and http, because I very like being able to reach my linux box at home when I'm not there... > -----Original Message----- > From: Franki [mailto:[EMAIL PROTECTED]] > Sent: Saturday, September 22, 2001 1:06 AM > To: [EMAIL PROTECTED] > Subject: RE: [newbie] These windows viruses(sp?) pain for linux users > too... > > > Hi, > > Here is what I have done... > > I created a file in /sbin called aptly enough, nimda > > make the file executable and put the code at the bottom of > this mail in it.. > > then make a file called /var/tmp/blocked and make it writable... > > make sure the path to your http error log directory is correct in the > script.. > > and make a cron job to run this often, (I have been doing it > every couple of > minutes as it doesn't seem to chew alot of cpu or memory, > even if it is > parsing a 500mb error_log, (and I am doing it on my test server with a > Ppro200 and 48mb of ram...) > > it will create ipchains rules for each nasty nimda server and > block them, it > will also add their IP address to /var/tmp/blocked > > you will need to change the rule alittle if you are using > IPtables.. nothing > too difficult though.. > > I am also using the hack that shuts down any server with > root.exe on it.. > and that has made a substantial difference too.. > I only get scanned once by those servers because they > shutdown immediately > upon trying to infect my box.... works great.. > > I didn't want to do that.. but there are now 3500 IPaddress > listed in my > /var/tmp/blocked file, and ALL of them are infected and the > amount goes up > dramaticily each day, (altough it has backed off alot lately.) > > I have some other scripts here that were donated to me, but I > have yet to > try them.. > > if you are using the stop iss server trick, you need to do > what I did, check > your httpd error log, (/var/log/httpd/error_log_ and see what > directories > the IIS servers are looking for,,, then create those > directories and put the > php script in there.. > > I have versions of it called Admin.dll, root.exe, default.ida > and cmd.exe in > each created directory structure... > > all the php script does, is open linx to the url of the > server and issue the > shutdown code to root.exe on that box, (I figure any box that > now has nimda > previously had CoderedII and will still have root.exe, seems > to be true > too... > > hope this helps.. > > I don't know of the legalities of the shutdown code, but I > look at it this > way,, I just put the file on my server, I am not infecteding > anyone with it, > if their servers request it, thats their problem, not mine,, > > I could just as easily but a bat file up for download that > said "format c:\" > or something similiar on my server and if someone was dumb enough to > download and run it, its not my problem because I didn't > infect them, they > downloaded it. > > same diff with the stop server php script, it is on my server > alone, I don't > promote it, if a infected server comes to mine and grabs it,, > that is not my > problem,, I held of doing this for ages in the hope that it > will stop, but I > am now going to get a huge ISP bill for my permanent > connection and what do > I do,?? charge it to the infected servers???? > > They wouldn't pay even if I could get them all,,, ,(most of > the pages on > those servers are default NT/2000 iis pages, meaning that the > people don't > even know they are running a web server...) > > if shutting down their server, (rather then hacking and > damageing it, or > leaving it up so that others can.) does not get their > attention and get them > patched,,, then nothing does.. I view this as doing them a > favour as if > there server gets shutdown, then other nasty types can't use > the root.exe to > install back doors and such. > > does anyone else have an opinion on this?? > > rgds > > Frank >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
