Hi, Here is what I have done... I created a file in /sbin called aptly enough, nimda make the file executable and put the code at the bottom of this mail in it.. then make a file called /var/tmp/blocked and make it writable... make sure the path to your http error log directory is correct in the script.. and make a cron job to run this often, (I have been doing it every couple of minutes as it doesn't seem to chew alot of cpu or memory, even if it is parsing a 500mb error_log, (and I am doing it on my test server with a Ppro200 and 48mb of ram...) it will create ipchains rules for each nasty nimda server and block them, it will also add their IP address to /var/tmp/blocked you will need to change the rule alittle if you are using IPtables.. nothing too difficult though.. I am also using the hack that shuts down any server with root.exe on it.. and that has made a substantial difference too.. I only get scanned once by those servers because they shutdown immediately upon trying to infect my box.... works great.. I didn't want to do that.. but there are now 3500 IPaddress listed in my /var/tmp/blocked file, and ALL of them are infected and the amount goes up dramaticily each day, (altough it has backed off alot lately.) I have some other scripts here that were donated to me, but I have yet to try them.. if you are using the stop iss server trick, you need to do what I did, check your httpd error log, (/var/log/httpd/error_log_ and see what directories the IIS servers are looking for,,, then create those directories and put the php script in there.. I have versions of it called Admin.dll, root.exe, default.ida and cmd.exe in each created directory structure... all the php script does, is open linx to the url of the server and issue the shutdown code to root.exe on that box, (I figure any box that now has nimda previously had CoderedII and will still have root.exe, seems to be true too... hope this helps.. I don't know of the legalities of the shutdown code, but I look at it this way,, I just put the file on my server, I am not infecteding anyone with it, if their servers request it, thats their problem, not mine,, I could just as easily but a bat file up for download that said "format c:\" or something similiar on my server and if someone was dumb enough to download and run it, its not my problem because I didn't infect them, they downloaded it. same diff with the stop server php script, it is on my server alone, I don't promote it, if a infected server comes to mine and grabs it,, that is not my problem,, I held of doing this for ages in the hope that it will stop, but I am now going to get a huge ISP bill for my permanent connection and what do I do,?? charge it to the infected servers???? They wouldn't pay even if I could get them all,,, ,(most of the pages on those servers are default NT/2000 iis pages, meaning that the people don't even know they are running a web server...) if shutting down their server, (rather then hacking and damageing it, or leaving it up so that others can.) does not get their attention and get them patched,,, then nothing does.. I view this as doing them a favour as if there server gets shutdown, then other nasty types can't use the root.exe to install back doors and such. does anyone else have an opinion on this?? rgds Frank -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Johnson Sent: Friday, 21 September 2001 9:57 PM To: LinuxNewbie (E-mail) Subject: [newbie] These windows viruses(sp?) pain for linux users too... You know how these Code Red and Code Blue and Nimbda virus's are affecting me as a linux user -- they are eating my bandwidth and trashing my weblogs. I can't play UT tournament anymore because it's killing my response time and connecting to the newserver and reading news has become painfully slow. If I open up port 80 on my firewall my weblogs are flooded with these viruses. A lot of the ip addresses are coming from my ISPs subnet. Is there anyway that I can let my ISP know about this and have then contact the people infected by these viruses to let me know. I would imagine that they already know about it. How can we get this stuff cleaned up? Will this insanity ever end?
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
