[svlug] nimda: cheese or notify scripts?

Jonathan Cobb jonathan at hardcorejon.com
Wed Sep 19 18:22:02 PDT 2001

Previous message: [svlug] nimda: cheese or notify scripts?
Next message: [svlug] nimda: cheese or notify scripts?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 
> This wasn't what I was looking for.
> 
> Blocking traffic is only going to salvage your logrotate sessions.
> 
> I'd rather do a reverse attack on the systems launching this (and other)
> worms -- incidentally, I'm still seeing sizeable CodeRed attacks, even
> on a dialup network, and note that we're approaching yet another attack
> date, partial log follow:

While my technique does block the nastiness at the OS-level (whereas the 
SetEnvIfNoCase/Redirect stuff still makes your apache consume additional 
  cpu cycles), I realize that the bandwidth is *still* being consumed, 
regardless.

And you're right, only some kind of reverse attack that shuts it down at 
the source would work.  I've lately been thinking about a "benevolent 
IIS worm", one that would have an algorithm something like this:

1. Infiltrate IIS using commonly known vulnerabilities
2. Spread self to other hosts.
3. Close vulnerabilities on the current host.

This way, the worm would spread, but it would be closing vulnerabilities 
as it spread!  It might also leave a polite text document on the 
administrator's system desktop, telling them what had happened, and 
chiding them for being a poor sys admin.

Conceivably something like this could also work for Outlook.

Thoughts?  Feasibility?

   - jonathan.

Previous message: [svlug] nimda: cheese or notify scripts?
Next message: [svlug] nimda: cheese or notify scripts?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list