On Sun, 12 Aug 2001, Bill Crawford wrote:
>
> > From: Chris Kloiber <[EMAIL PROTECTED]>
>
> > What the script is doing is attempting to access the backdoor to the
> > infected box (http://$ipaddr/scripts/root.exe?/c+dir) If it cannot (IE:
> > this was a code red 1 infection?) then it is not sending emails. I took
> > that check out, and it just spams the heck out of the
> > postmaster@<who_owns_that_ip_according_to_arin>. I also took the delay out
> > of the webpage so I could test it faster. It's launching the mail
> > immediately upon attack now.
> >
> > If I don't get my IP pulled (all mails thus far have gone to my ISP) for
> > complaining I'll consider putting up a modified tarball as well.
>
> Dude,
>
> I don't want to spoil the fun, but working for an ISP of sorts, I can
> tell you this is really going to get the good ones pissed at you, and
> the bad ones are just going to bitbucket your mail :o(
>
> The problem is that the data that ARIN/RIPE/etc keep on IP blocks may
> lead to the mailbox of an overworked sysadmin who won't be able to do
> much to help you, and is just as saddened and infuriated by the whole
> problem already.
>
> Now, if we can make the machine send a mail to its owner/administrator
> telling them they're infected ... unfortunately I don't know enough
> Windoze to do much, I'm afraid.
It's not fun, I assure you. I called my provider and the tech there said I
should let them rip. They are compiling lists of infected hosts and will
begin telephoning the users this week. They have also promised they will
be "filtering" the traffic (how without cutting off port 80 completely?)
I'll definitely take the page down if/when they ask. So far it looks like
I've sent 120 emails out, and I would guess 110 of them went to
[EMAIL PROTECTED] I'm not happy about it either, I sent CC: to myself on
every one.
--
Chris Kloiber, RHCE
Enterprise Support - Red Hat, Inc.
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
