[svlug] nimda: cheese or notify scripts?
jonathan at hardcorejon.com
Wed Sep 19 18:22:02 PDT 2001
> This wasn't what I was looking for.
> Blocking traffic is only going to salvage your logrotate sessions.
> I'd rather do a reverse attack on the systems launching this (and other)
> worms -- incidentally, I'm still seeing sizeable CodeRed attacks, even
> on a dialup network, and note that we're approaching yet another attack
> date, partial log follow:
While my technique does block the nastiness at the OS-level (whereas the
SetEnvIfNoCase/Redirect stuff still makes your apache consume additional
cpu cycles), I realize that the bandwidth is *still* being consumed,
And you're right, only some kind of reverse attack that shuts it down at
the source would work. I've lately been thinking about a "benevolent
IIS worm", one that would have an algorithm something like this:
1. Infiltrate IIS using commonly known vulnerabilities
2. Spread self to other hosts.
3. Close vulnerabilities on the current host.
This way, the worm would spread, but it would be closing vulnerabilities
as it spread! It might also leave a polite text document on the
administrator's system desktop, telling them what had happened, and
chiding them for being a poor sys admin.
Conceivably something like this could also work for Outlook.
More information about the svlug