[Dshield] RE: Dshield digest, Vol 1 #188 - 11 msgs

Paryani, Gulabray ParyaniG at ncopost.ne-optometry.edu
Wed Aug 8 13:25:35 GMT 2001


Just a comment...
ASP can pull out an IP address (what about spoofing tho) and then if your
webserver has the right activeX control, it can do an rDNS, and possibly get
the admin info. But this assumes the IP has a valid rDNS and the admin info.
is listed. Moreover my box gets scanned by a BUNCH of Asian IP addresses
(Japan, China, Korea, etc.), I tend to doubt they'll give a crap about us.

I'm willing to contribute my scripting knowledge if anyone can think of a
good way to do this.

~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Gul Paryani
Internet Resource Specialist
Email: gul at gulshome.com
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~

Message: 1
From: "Robert" <robert at chalmers.com.au>
To: <dshield at dshield.org>
Date: Wed, 8 Aug 2001 08:36:58 +1000
Subject: [Dshield] 2318 Windows servers attacking my network with CodeRed !
Reply-To: dshield at dshield.org

As of this morning, I counted 2318 unique IP numbers and resolved addresses
in my access_log containing the default.ida packet.

I have the full list if anyone wants it, in a small txt file. 2318 ip/host
addresses. Yes, I have sent logs yesterday to the dshield address.

This really is a major probelm. How on earth could one possible contact al l
those hosts to warn them. Given the % of pirated systems out there, not a
few of these hosts won't even be running the software legally and so won't
be willing to respond - and may indeed themselves be the perpertrators !

If anyone has a bit of software that can filter the port 80 traffic, I'd
really like to see it!
Indeed, is there a piece of software that can automatically track these
IPs/ISPs and send warnings to them?

Robert



--__--__--

Message: 2
Date: Tue, 07 Aug 2001 17:56:35 -0500
From: Matt Weil <weilmr at slu.edu>
To: dshield at dshield.org
Subject: Re: [Dshield] RE: fighting back against CodeRed
Reply-To: dshield at dshield.org

Would a script to send the party an E-Mail when the file default.ida is
requested help...  Can't ASP and PHP
pull the IP and admin address out of the header request????  Maybe if they
where emailed 500 times a day they
would think about getting to the patch....  Sorry just throwing out Ideas
this may not be possable....

Matt

Eric Rosander wrote:

> I agree with Mark. Just ask Max Vision what you get when you do this in
the
> name of "the forces of good".
>
> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of Mark Rowlands
> Sent: Tuesday, August 07, 2001 11:25 AM
> To: Tod D. Ihde
> Cc: dshield at dshield.org
> Subject: Re: [Dshield] RE: fighting back against CodeRed
>
> On Tuesday 07 August 2001 17:19, you wrote:
> > The machines are not going to get patched by the owners.
> >
> > The patch has been out for months.
> >
> > CodeRed (And II) have been out for days.
> >
> > Wake up. Responsible people have already patched their boxes. Nobody
else
> > has, or will.
> >
> > Any quibbling that may come from the owner is easily squashed. "You want
I
> > should have just formatted & rebooted? That was an easier program to
> > write", and "your box was probing mine. I made it stop."
> >
> > No they might not hold up in cort, but I'm willing to bet I'm a bigger
> > pr*ck than anyone who might be stupid enough to try to take me to court
> > over patching a box they wouldn't patch themselves.
>
> Courts and lawyers and judges don't care about right and wrong, they care
> about the Law and Money.  The court is,however,  an important place that
> really matters because in court, they can take away your computers, your
> right to work in your chosen career and your freedom. So it don't matter
if
> you are the biggest swingingest dick in the land, if you can't get it up
in
> court ;-).  So please, be a bit wary and a bit thoughtful, I'd hate to see
> people end up in prison over this bit of net nonsense,
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield


--__--__--

Message: 3
From: "Robert" <robert at chalmers.com.au>
To: <dshield at dshield.org>
Subject: Re: [Dshield] RE: fighting back against CodeRed
Date: Wed, 8 Aug 2001 10:20:47 +1000
Reply-To: dshield at dshield.org

If anyone writes such a thing, I'd love a copy !!!

robert

----- Original Message -----
From: "Matt Weil" <weilmr at slu.edu>
To: <dshield at dshield.org>
Sent: Wednesday, August 08, 2001 8:56 AM
Subject: Re: [Dshield] RE: fighting back against CodeRed


> Would a script to send the party an E-Mail when the file default.ida is
requested help...  Can't ASP and PHP
> pull the IP and admin address out of the header request????  Maybe if they
where emailed 500 times a day they
> would think about getting to the patch....  Sorry just throwing out Ideas
this may not be possable....
>
> Matt
>
> Eric Rosander wrote:
>
> > I agree with Mark. Just ask Max Vision what you get when you do this in
the
> > name of "the forces of good".
> >
> > -----Original Message-----
> > From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> > Behalf Of Mark Rowlands
> > Sent: Tuesday, August 07, 2001 11:25 AM
> > To: Tod D. Ihde
> > Cc: dshield at dshield.org
> > Subject: Re: [Dshield] RE: fighting back against CodeRed
> >
> > On Tuesday 07 August 2001 17:19, you wrote:
> > > The machines are not going to get patched by the owners.
> > >
> > > The patch has been out for months.
> > >
> > > CodeRed (And II) have been out for days.
> > >
> > > Wake up. Responsible people have already patched their boxes. Nobody
else
> > > has, or will.
> > >
> > > Any quibbling that may come from the owner is easily squashed. "You
want I
> > > should have just formatted & rebooted? That was an easier program to
> > > write", and "your box was probing mine. I made it stop."
> > >
> > > No they might not hold up in cort, but I'm willing to bet I'm a bigger
> > > pr*ck than anyone who might be stupid enough to try to take me to
court
> > > over patching a box they wouldn't patch themselves.
> >
> > Courts and lawyers and judges don't care about right and wrong, they
care
> > about the Law and Money.  The court is,however,  an important place that
> > really matters because in court, they can take away your computers, your
> > right to work in your chosen career and your freedom. So it don't matter
if
> > you are the biggest swingingest dick in the land, if you can't get it up
in
> > court ;-).  So please, be a bit wary and a bit thoughtful, I'd hate to
see
> > people end up in prison over this bit of net nonsense,
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www1.dshield.org/mailman/listinfo/dshield
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>


--__--__--

Message: 4
Date: Tue, 7 Aug 2001 22:05:45 -0500 (CDT)
From: "Donnie C. Moss" <dcm at ugnet.org>
To: dshield at dshield.org
Subject: Re: [Dshield] RE: fighting back against CodeRed
Reply-To: dshield at dshield.org

I know you can pull the IP Address but you would have to do some sort of
lookup with ARIN to get the Admin contact for that IP block... then it
would recquire that the block contact information is current.

--dcm

 On Wed, 8Aug 2001, Robert wrote:

> If anyone writes such a thing, I'd love a copy !!!
> 
> robert
> 
> ----- Original Message -----
> From: "Matt Weil" <weilmr at slu.edu>
> To: <dshield at dshield.org>
> Sent: Wednesday, August 08, 2001 8:56 AM
> Subject: Re: [Dshield] RE: fighting back against CodeRed
> 
> 
> > Would a script to send the party an E-Mail when the file default.ida is
> requested help...  Can't ASP and PHP
> > pull the IP and admin address out of the header request????  Maybe if
they
> where emailed 500 times a day they
> > would think about getting to the patch....  Sorry just throwing out
Ideas
> this may not be possable....
> >
> > Matt
> >
> > Eric Rosander wrote:
> >
> > > I agree with Mark. Just ask Max Vision what you get when you do this
in
> the
> > > name of "the forces of good".
> > >
> > > -----Original Message-----
> > > From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> > > Behalf Of Mark Rowlands
> > > Sent: Tuesday, August 07, 2001 11:25 AM
> > > To: Tod D. Ihde
> > > Cc: dshield at dshield.org
> > > Subject: Re: [Dshield] RE: fighting back against CodeRed
> > >
> > > On Tuesday 07 August 2001 17:19, you wrote:
> > > > The machines are not going to get patched by the owners.
> > > >
> > > > The patch has been out for months.
> > > >
> > > > CodeRed (And II) have been out for days.
> > > >
> > > > Wake up. Responsible people have already patched their boxes. Nobody
> else
> > > > has, or will.
> > > >
> > > > Any quibbling that may come from the owner is easily squashed. "You
> want I
> > > > should have just formatted & rebooted? That was an easier program to
> > > > write", and "your box was probing mine. I made it stop."
> > > >
> > > > No they might not hold up in cort, but I'm willing to bet I'm a
bigger
> > > > pr*ck than anyone who might be stupid enough to try to take me to
> court
> > > > over patching a box they wouldn't patch themselves.
> > >
> > > Courts and lawyers and judges don't care about right and wrong, they
> care
> > > about the Law and Money.  The court is,however,  an important place
that
> > > really matters because in court, they can take away your computers,
your
> > > right to work in your chosen career and your freedom. So it don't
matter
> if
> > > you are the biggest swingingest dick in the land, if you can't get it
up
> in
> > > court ;-).  So please, be a bit wary and a bit thoughtful, I'd hate to
> see
> > > people end up in prison over this bit of net nonsense,
> > >
> > > _______________________________________________
> > > Dshield mailing list
> > > Dshield at dshield.org
> > > To change your subscription options (or unsubscribe), see:
> > > http://www1.dshield.org/mailman/listinfo/dshield
> > >
> > > _______________________________________________
> > > Dshield mailing list
> > > Dshield at dshield.org
> > > To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
> >
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
> 


/------------------------\
| Donnie Moss, CCNA, MCP |
| Network Administrator  |
| dcm at ugnet.org          |
| http://www.ugnet.org   |
\------------------------/

"More people are killed by donkeys annually than are
killed in plane crashes."




--__--__--

Message: 5
From: "Paul" <prtutt1 at home.com>
To: <dshield at dshield.org>
Subject: RE: [Dshield] RE: fighting back against CodeRed
Date: Tue, 7 Aug 2001 21:04:35 -0700
Reply-To: dshield at dshield.org

Ok enough for a sec. Here are a few observations I have concluded about
this matter. I believe any of you that are running a CODERED Scanner can
verify this also.

Of all these probes to port 80, my research so far tells me:

80% are being done by idiots running the scanner for they are already
patched.

14% are being done by non patched machines

6% are infected

Now this may not be the most scientific analysis but on every probe I
receive I scan back only like I said above to find out someone has
nothing better to do than set their scanner to scan a vast array of
addresses.

Ok that's my piece and if you doubt me grab a scanner and scan the
address scanning you..

LOL
Paul




--__--__--

Message: 6
Date: Tue, 7 Aug 2001 20:13:22 -0700
To: dshield at dshield.org
From: John Groseclose <iain at caradoc.org>
Subject: Re: [Dshield] RE: fighting back against CodeRed
Reply-To: dshield at dshield.org

At this point, I'd be happy to run a CGI that grabs the IP address of 
the infected machine, and sends an e-mail to abuse at domain.TLD 
reporting the attempt.

If they get a few thousand e-mails about it, maybe they'll be more 
likely to *ACT* on the reports instead of ignoring them for days on 
end.

I cannot condone a counter-worm. These "administrators" need to learn 
that there's more to being an "administrator" than simply being able 
to double-click on "Install" for a Microsoft product.

I'm willing to bet that a lot of the infected IIS machines' owners 
don't even know that IIS was installed and activated BY DEFAULT.

At least one of the machines that attempted to connect to me to pass 
Code Red had pages showing that the guy was an MCSE... I e-mailed him 
about it, and the pages have since vanished, but he never replied.
-- 
John Groseclose
iain at caradoc.org


--__--__--

Message: 7
From: "Mark Martin" <wolf at bescape.com>
To: <dshield at dshield.org>
Subject: RE: [Dshield] fighting back against CodeRed
Date: Tue, 7 Aug 2001 22:29:17 -0500
Reply-To: dshield at dshield.org

BTW, dropping the packets won't impact the attempt.

Mark

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Quibell, Marc
Sent: Monday, August 06, 2001 2:32 PM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] fighting back against CodeRed


Good idea. I was just thinking on how we can turn this code-red worm back
and neutralize the infected machine. But first we must have a way of
automatically identifying a code-red attack and then injection of the "Code
Red patch code". Or we'll have to do it manually. If any programmer would be
kind enough to develop an .exe that would expose the 'backdoor', get in and
have the server run the patch via a script file, I'm all for it... In the
meantime I'll be concentrating on how to get the routers to drop packets and
maybe the code-red, not getting a return reply, will drop its' attempts...


--__--__--

Message: 8
Date: Wed, 08 Aug 2001 10:38:28 +0800
To: dshield at dshield.org
From: Chris Johnson <Kris_Johnson at yahoo.com>
Subject: [Dshield] Fighting Code Red
Reply-To: dshield at dshield.org

I've seen all these elaborate plans to fix CR2 infected machines that skirt 
dangerously close to trespass in the paranoid world of the IT illiterate 
company director, but I think the solution should be closer to "a slap".

Don't try to patch the machine, don't try to disinfect the computer, don't 
try anything that requires too many variables.  I recommend two things.

* Report the probe to a centralised authority that can warn the owner or 
upstream ISP.  Most of us on this list are already doing that.

* Shut down or reboot the infected service or server.

That second move should be a swift move that can be done blind and 
automated.  And it should have no effect on machines that aren't infected.

The real-world analogy is that someone pokes you so you slap them.  Fast 
and with a sting, but with no possibility of permanent damage.

I've been trying to use the scripts/root.exe? exploit to shutdown the IIS 
service using iisreset, but the IIS service by default doesn't had enough 
privileges to run that program.  Perhaps someone else can workout a quick, 
fail-safe way of disabling infected machines without having to spend too 
long in there, and without running the risk of any damage.


Chris A. Johnson http://krisjohn.cjb.net
Kris_Johnson at yahoo.com Mob: 0412 446 312

Sick of problems with e-mail?  Every
attachment a virus?  My ICQ is: 12281057

PGP Key Fingerprint  http://www.pgpi.com
3254 BC93 9D17 C4D0  21DB E050 B69A 8F2A


--__--__--

Message: 9
From: "Mark Martin" <wolf at bescape.com>
To: <dshield at dshield.org>
Subject: RE: [Dshield] Re: Dshield digest, Vol 1 #185 - 11 msgs
Date: Tue, 7 Aug 2001 22:56:55 -0500
Reply-To: dshield at dshield.org

While in agreement with you on quashing the notion of the anti-worm, I'm
still pondering how such a thing would even work, technically.  I mean, how
would it spread?  Once it "cleaned" a system, there wouldn't be the
malicious spreading function left, so it would never propogate itself.  Am I
totally missing how that would even work?  The only way I could see it
working is if the anti-worm, the cleaning worm, actually continued acting
like the original worm in some way.  Then, instead of the inundation of
firewall logs with getting /default.ida and some wormy malicious code, you'd
get the /default.ida access and seeming non-malicious code.  What's the
diff?

(I ask this more to the group :)

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Dustin Decker
Sent: Tuesday, August 07, 2001 12:13 PM
To: dshield at dshield.org
Subject: [Dshield] Re: Dshield digest, Vol 1 #185 - 11 msgs



Let's all agree right now however, to quash any such discussion of using
the worm itself to kill the worm.  This may indeed seem noble, and on many
merits I would agree... however, one simply cannot forget that we are
without the services and companionship of our beloved own - Max Vision.  I
don't think I have to remind you why.  (Although I would also interject
that the FBI gave him a royal screwing on that whole mess.)  The law,
flawed or not, is still in full effect.  It would be most unwise to cross
those lines, and is additionally poor form to support such measures in
this forum.

Dustin


--__--__--

Message: 10
From: "johnr" <neo at lapd.de>
To: <dshield at dshield.org>
Subject: [Dshield] Strange Worm !
Date: Wed, 8 Aug 2001 06:50:15 +0200
Reply-To: dshield at dshield.org

This is a multi-part message in MIME format.

------=_NextPart_000_000E_01C11FD6.6142BA70
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

hi everyone,

i'm running websnarf, a fake webserver to get the ip's of the worm-
infected systems .. strange but the last one was just trying to attack=20
me 4 times (!) now ... here's my log :

$ websnarf v1.04 listening on port 80 (timeout=3D1 secs)
195.178.171.84 - - [08/Aug/2001:04:45:29 -0000] "GET =
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXX%u9090%u68
58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u909=
0%u8190%u00c3%u0003%u8b00%u
531b%u53ff%u0078%u0000%u00=3Da  HTTP/1.0" 404 100
195.178.171.84 - - [08/Aug/2001:04:46:05 -0000] "GET =
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXX%u9090%u68
58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u909=
0%u8190%u00c3%u0003%u8b00%u
531b%u53ff%u0078%u0000%u00=3Da  HTTP/1.0" 404 100
195.178.171.84 - - [08/Aug/2001:04:46:49 -0000] "GET =
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXX%u9090%u68
58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u909=
0%u8190%u00c3%u0003%u8b00%u
531b%u53ff%u0078%u0000%u00=3Da  HTTP/1.0" 404 100
195.178.171.84 - - [08/Aug/2001:04:47:05 -0000] "GET =
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXX%u9090%u68
58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u909=
0%u8190%u00c3%u0003%u8b00%u
531b%u53ff%u0078%u0000%u00=3Da  HTTP/1.0" 404 100

------=_NextPart_000_000E_01C11FD6.6142BA70
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>hi everyone,</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>i'm running websnarf, a fake webserver =
to get the=20
ip's of the worm-</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>infected&nbsp;systems .. </FONT><FONT =
face=3DArial=20
size=3D2>strange but the last one was just trying to attack =
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>me 4 times (!) now ... here's my log =
:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>$ websnarf v1.04 listening on port 80 =
(timeout=3D1=20
secs)<BR>195.178.171.84 - - [08/Aug/2001:04:45:29 -0000] "GET=20
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<BR>XXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXX<BR>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u68<BR>58%ucbd3%u7801%u9090%u6858%ucbd3%=
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u<BR>53=
1b%u53ff%u0078%u0000%u00=3Da&nbsp;=20
HTTP/1.0" 404 100<BR>195.178.171.84 - - [08/Aug/2001:04:46:05 -0000] =
"GET=20
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<BR>XXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXX<BR>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u68<BR>58%ucbd3%u7801%u9090%u6858%ucbd3%=
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u<BR>53=
1b%u53ff%u0078%u0000%u00=3Da&nbsp;=20
HTTP/1.0" 404 100<BR>195.178.171.84 - - [08/Aug/2001:04:46:49 -0000] =
"GET=20
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<BR>XXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXX<BR>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u68<BR>58%ucbd3%u7801%u9090%u6858%ucbd3%=
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u<BR>53=
1b%u53ff%u0078%u0000%u00=3Da&nbsp;=20
HTTP/1.0" 404 100<BR>195.178.171.84 - - [08/Aug/2001:04:47:05 -0000] =
"GET=20
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<BR>XXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXX<BR>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
XXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u68<BR>58%ucbd3%u7801%u9090%u6858%ucbd3%=
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u<BR>53=
1b%u53ff%u0078%u0000%u00=3Da&nbsp;=20
HTTP/1.0" 404 100</FONT></DIV></BODY></HTML>

------=_NextPart_000_000E_01C11FD6.6142BA70--


--__--__--

Message: 11
From: "Josh Ballard" <jballard at cloud.cc.ks.us>
To: <dshield at dshield.org>
Subject: RE: [Dshield] Re: Dshield digest, Vol 1 #185 - 11 msgs
Date: Wed, 8 Aug 2001 00:06:22 -0500
Reply-To: dshield at dshield.org

>While in agreement with you on quashing the notion of the anti-worm, I'm
>still pondering how such a thing would even work, technically.

My recommendation wasn't an anti-worm, although it wasn't a real
recommendation.  It was an attempt to start discussion of what we are going
to do about this, and it's worked pretty well.  My "recommendation" was
every time a server sees the exploit, it attempts to patch the server making
the attempt via the backdoor.  Not to circulate an antiworm.  Just a server
that runs some commands on the host and runs the fix, and reboots.  It's not
very feasible as there are huge ethical and legal conflicts with this.  I'm
really liking the PHP/CGI idea of mailing the sysadmin/netadmin a ton of
e-mails, as I think this is feasible.  Another thought, what if the script
could pull e-mail addresses off the hosts page if there was one existing, as
well as the sysadmin e-mail?  One problem here, ignore any @microsoft.com
email addresses that might exist on a default page.  I mean, that wouldn't
legally break the spam laws, because there is an unsubscribe method:  Patch
your machine.

Josh Ballard
oofle.com Linux Firewall Center
http://www.oofle.com/
jballard at cloud.cc.ks.us



--__--__--

_______________________________________________
Dshield mailing list
Dshield at dshield.org
http://www1.dshield.org/mailman/listinfo/dshield


End of Dshield Digest




More information about the list mailing list