[Dshield] IIS Logs

Erick Brockway ebrockway at earthlink.net
Fri Mar 29 16:26:58 GMT 2002

Hash: SHA1

	Oops, and occasionally I mess up and mis-configure my default email
and send from the wrong account (sorry Johannes).
	Also to be clear, it wouldn't break my heart if the script did shut
down the IIS machine infected by the trojan, but simply shutting it
down would be useless. It would be simply be restarted eventually and
chkdisk would run, and the trojan would be back up probing.
	I've found with the machine that's infected it's possible to send a
console message which remains on the screen until the user hits the
OK button. After the perl script triggers the firewall alert, I fire
off a short message directing the user to ZoneAlarm, trojan remover
and NAI.com. I'd like to automate this, and I'm trying
(unsuccessfully so far) to get the script to send a console message.
May be over my head at this point in time though.

- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf
Forum Admin
Sent: Thursday, March 28, 2002 10:57 PM
To: list at dshield.org
Subject: RE: [Dshield] IIS Logs

Hash: SHA1

	Well, I've been running a perl "StrikeBack" script on my Apache
server for a little over a month. Although I've yet to see it shut
down an infected machine, it DOES trigger a firewall rule rather
nicely whenever Perl.exe accesses the internet in response to a code
red or nimda probe. I'm working on a way to have it post a console
message to the infected computer, which would remain on the victim's
screen until they hit OK. Been sending them manually so far, and in
only one case has it failed to get the user's attention. Haven't had
but one repeat scan.

Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>


More information about the list mailing list