[Dshield] Crossing the Line (was: SQLSnake)

KickerRick kickerrick at kickerrick.servebeer.com
Fri Jul 12 01:35:16 GMT 2002


    What I was doing was using a perl "shutdown" script that was modified by
suggestion (from John I think, but my old HDD died and I lost the message).
This was awesome as it left messages on the desktop of those with Nomda
infected machines via net send.
    Since I lost the original message and forgot the string used, currently
I do a simple net send to the infected machine with links to sites where
they can repair their machines. Usually I have to have a good ping before
the message will go through. Sending Larts to the ISPs may or may not help,
I never had an infected machine myself, but I HAVE seen some repeat IP addys
that had been reported proviously.
    The net send seems effective, never saw a repeat probe from a message
that did make it through.

Erick


----- Original Message -----
From: "Ed Truitt" <ed.truitt at etee2k.net>
To: <list at dshield.org>
Sent: Wednesday, July 10, 2002 7:04 PM
Subject: Re: [Dshield] Crossing the Line (was: SQLSnake)


> I haven't seen a program that will parse the syslog entries from LaBrea,
> however I strongly recommend the LaBrea::Tarpit PERL module from
> www.bizsystems.net/downloads - not only does it include a program to
forward
> LaBrea output to DShield, but it also includes modules to set up real-time
> displays of the tarpit (see
> http://osiris.etee2k.net/cgi-bin/tarpit/paged_report.plx for an example)
> which allows you to track what is going on using any web browser (which
is,
> by the way, how I discovered the unleashing of SQLsnake - I was showing
off
> LaBrea to some of my co-workers when the first wave of probes hit.)
>
> Cheers,
> Ed Truitt
> PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> http://www.etee2k.net
> http://www.bsatroop148.org
>
> "Note to spammers:  my 'delete' key is connected to YOUR ISP.
>  Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
>
>
> ----- Original Message -----
> From: "John Hardin" <johnh at aproposretail.com>
> To: "DShield mailing list" <list at dshield.org>
> Sent: Wednesday, July 10, 2002 4:54 PM
> Subject: Re: [Dshield] Crossing the Line (was: SQLSnake)
>
>
> > On Wed, 2002-07-10 at 13:05, Johannes Ullrich wrote:
> > >
> > > LaBrea is a great
> > > tool to do this (with DShield reporting of course).
> >
> > Will Dshield parse the syslog entries that LaBrea generates? e.g.:
> [snip]
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>









More information about the list mailing list