> The only effective solution I can think of is to have the web server > rewrite URL's that are known to indicate infected machines so they call a > cgi script. The cgi would then need to connect to another process which has > access to modify the ip tables in the kernel to block that IP address. This > would allow the first connection through but block the subsequent ones. Has > anyone tried this? Did you find software to do it or write it yourself?
I've seen a script around that connects back to the attacking system and pops up a window on their screen telling them to fix their system. Another option is to write to the offenders ISP, who will often take them offline until they prove their system is clean (when I was working for an ISP we did this). -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
