Unfortunately, you're punishing the infected person, rather than the
instigator of the worm.
I've read of people developing perl scriptlets that basically hold the
connection open as long as possible by fooling the other side into thinking
that it's got a host it's infecting... thereby slowing down the propagation
of the worm. The numbers I saw indicated that with version 1 of the worm,
and it's 100 threads, holding a connection as long as possible before timing
out (which is what, 5 minutes?) slows the propagation of the worm 265,000%
But (personally) I dont think it's appropriate to lash back against an
infected machine (though a quick "why dont you patch your @#(*)( machines"
to the network owner has been known to occur on occasion when I get hit by
many many servers within a given netblock).
> -----Original Message-----
> From: scott [gts] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 13, 2001 10:38 AM
> To: php
> Subject: RE: [PHP] new one is it ??
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> what about something like this ?
> (just configure apache to have PHP handle *.ida files)
>
> <?
> // this is so our script won't time out
> set_time_limit(0);
>
> // how many bytes of junk to generate
> $jsize = 1024 * 10;
> // how many times to print $junk
> $jout = 1;
>
> // generate some random junk
> $n = 0;
> while ($n++ < $jsize) {
> $junk .= chr( rand(1,200) );
> }
>
> $i = 0;
> while ( $i++ < $jout ) {
> print $junk;
> }
>
> ?>
>
> > -----Original Message-----
> > From: Tim [mailto:[EMAIL PROTECTED]]
> > Subject: Re: [PHP] new one is it ??
> >
> >
> > Boy that looks familiar...my (apache) logs are full of 'em.
> >
> > I wonder if we can make a PHP script called default.ida
> that sends back
> > a big chunk of data and causes the worm to get a buffer
> overflow? :) :)
> >
> > - Tim (glad I don't run IIS :)
> >
> > On 13 Aug 2001 22:27:06 +0800, Mark Lo wrote:
> > > 208.251.146.123 - - [13/Aug/2001:22:24:27 +0800] "GET
> > >
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> > >
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> > >
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> > >
> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
> 0%u6858%ucbd3%
> > >
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
> 000%u00=a
> > > HTTP/1.0" 400 333 - "-" "-"
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBO3fmM8aXTGgZdrSUEQKRAgCgrGf+r6Fma17L39tEVp8lwanC+FwAoJlz
> l7k1s47s8EdDHnM+jLZzDuL2
> =z2GG
> -----END PGP SIGNATURE-----
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
