Re: [PHP] nimda, etc.
This is something you can use to slow down (even possibly to kill) code Red, Nimda scan etc. It's really interesting, good concept. http://www.hackbusters.net/LaBrea/ At 10:03 AM 9/22/2001 +0200, Alexander Skwar wrote: So sprach »Gaylen Fraley« am 2001-09-21 um 18:10:58 -0500 : Are you sure about that? I am trying his script and I just had an attack and I watched the traffic through my firewall software. It dropped off immediately, i.e. showed no activity. I was expecting to see somekind of a Sure, but you've got two Apache/PHP processes running for the sleep time. Now, imagine that 10,000 Nimda accesses happen at the same time. Alexander Skwar -- How to quote: http://learn.to/quote (german) http://quote.6x.to (english) Homepage: http://www.digitalprojects.com | http://www.iso-top.de iso-top.de - Die günstige Art an Linux Distributionen zu kommen Uptime: 2 days 20 hours 7 minutes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] Ezra Nugroho Web/Database Application Specialist Goshen College ITS Phone: (219) 535-7706 Don't be humble, you're not that great. -- Golda Meir
Re: [PHP] nimda, etc.
So sprach »Gaylen Fraley« am 2001-09-21 um 18:10:58 -0500 : Are you sure about that? I am trying his script and I just had an attack and I watched the traffic through my firewall software. It dropped off immediately, i.e. showed no activity. I was expecting to see somekind of a Sure, but you've got two Apache/PHP processes running for the sleep time. Now, imagine that 10,000 Nimda accesses happen at the same time. Alexander Skwar -- How to quote: http://learn.to/quote (german) http://quote.6x.to (english) Homepage: http://www.digitalprojects.com | http://www.iso-top.de iso-top.de - Die günstige Art an Linux Distributionen zu kommen Uptime: 2 days 20 hours 7 minutes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] nimda, etc.
On Fri, 21 Sep 2001 13:48:09 -0700, Bill Rausch wrote: My web sites, which generally have only a couple of real visitors a day to run a specific applications, have just been getting hammered by this stupid nimda and code red stuff. I'm running Linux/Apache/PHP and have firewalls that filter everything except port 80 so I'm not worried about any local effects. What I've done as a public service is to run a /missing.php script that looks like: ?php if( strpos( $HTTP_SERVER_VARS[REDIRECT_URL], .exe ) 0 ) sleep( 300 ); if( strpos( $HTTP_SERVER_VARS[REDIRECT_URL], default.ida ) 0 ) sleep( 300 ); header( HTTP/1.0 404 Not Found ); echo 404 File Not Found: ; echo $HTTP_SERVER_VARS[REDIRECT_URL]; ? I felt that if nothing else I could slow the worm down a little by wasting its time before it races off to the next potential target. Does what I'm doing make any sense or am I all confused? -- Bill Rausch, Software Development, Unix, Mac, Windows Numerical Applications, Inc. 509-943-0861 [EMAIL PROTECTED] i think its a good idea. here's a related story you might like: http://www.wired.com/news/technology/0,1282,46964,00.html -- Mark, [EMAIL PROTECTED] on 09/21/2001 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] nimda, etc.
At 13:48 2001-09-21 -0700, Bill Rausch wrote: sleep( 300 ); I felt that if nothing else I could slow the worm down a little by wasting its time before it races off to the next potential target. Does what I'm doing make any sense or am I all confused? I do like the concept behind the sleep idea, but this is going to tie up acesses to *YOUR* server, which means you're literally setting yourself up for a DoS. I doubt that was a design goal. I think setting up a script which hands off the vitising IP address to your firewall and stealths the requests would be much better. If I could get an answer to a cache implementation question I posted here this morning, I'd be moving along to providing such a facility to those interested... FTR, the implementation I have in place right now is invoked via a rewriterule in apache, so I don't log 404 errors. --- Please DO NOT carbon me on list replies. I'll get my copy from the list. Sean B. Straw / Professional Software Engineering Post Box 2395 / San Rafael, CA 94912-2395 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] nimda, etc.
Are you sure about that? I am trying his script and I just had an attack and I watched the traffic through my firewall software. It dropped off immediately, i.e. showed no activity. I was expecting to see somekind of a persistant connection, but It doesn't seem to be there. I tested it myself and got the same results. My browser just sat there spinning, but there was no traffic in and out of my site. -- Gaylen [EMAIL PROTECTED] http://www.gaylenandmargie.com PHP KISGB v1.2 Guestbook http://www.gaylenandmargie.com/publicscripts Sean Straw / Pse [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 13:48 2001-09-21 -0700, Bill Rausch wrote: sleep( 300 ); I felt that if nothing else I could slow the worm down a little by wasting its time before it races off to the next potential target. Does what I'm doing make any sense or am I all confused? I do like the concept behind the sleep idea, but this is going to tie up acesses to *YOUR* server, which means you're literally setting yourself up for a DoS. I doubt that was a design goal. I think setting up a script which hands off the vitising IP address to your firewall and stealths the requests would be much better. If I could get an answer to a cache implementation question I posted here this morning, I'd be moving along to providing such a facility to those interested... FTR, the implementation I have in place right now is invoked via a rewriterule in apache, so I don't log 404 errors. --- Please DO NOT carbon me on list replies. I'll get my copy from the list. Sean B. Straw / Professional Software Engineering Post Box 2395 / San Rafael, CA 94912-2395 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]