> > ... I don't know what any of this means, but I don't like it! cmd.exe?
> > winnt? Who is 210.23.229.57 anyway, and why is he accessing my system,
>
> Twits running IIS who have been infected with nimda and codered. You can't
> do much else but ignore it, or block them. Either way, you get to pay for
> the traffic. Kinda like SPAM, really.
The only effective solution I can think of is to have the web server
rewrite URL's that are known to indicate infected machines so they call a
cgi script. The cgi would then need to connect to another process which has
access to modify the ip tables in the kernel to block that IP address. This
would allow the first connection through but block the subsequent ones. Has
anyone tried this? Did you find software to do it or write it yourself?
Rich
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
