Sounds like a great idea, although I'd be the kind of BOFH that puts a format or fdisk command into the script. It's their fault for not securing their system and then trying to infect me, after all ;) On Sat, 22 Sep 2001 14:05:40 +0800, "Franki" <[EMAIL PROTECTED]> wrote: > Hi, > > Here is what I have done... > > I created a file in /sbin called aptly enough, nimda > > make the file executable and put the code at the bottom of this mail in it.. > > then make a file called /var/tmp/blocked and make it writable... > > make sure the path to your http error log directory is correct in the > script.. > > and make a cron job to run this often, (I have been doing it every couple of > minutes as it doesn't seem to chew alot of cpu or memory, even if it is > parsing a 500mb error_log, (and I am doing it on my test server with a > Ppro200 and 48mb of ram...) > > it will create ipchains rules for each nasty nimda server and block them, it > will also add their IP address to /var/tmp/blocked > > you will need to change the rule alittle if you are using IPtables.. nothing > too difficult though.. > > I am also using the hack that shuts down any server with root.exe on it.. > and that has made a substantial difference too.. > I only get scanned once by those servers because they shutdown immediately > upon trying to infect my box.... works great.. > > I didn't want to do that.. but there are now 3500 IPaddress listed in my > /var/tmp/blocked file, and ALL of them are infected and the amount goes up > dramaticily each day, (altough it has backed off alot lately.) > > I have some other scripts here that were donated to me, but I have yet to > try them.. > > if you are using the stop iss server trick, you need to do what I did, check > your httpd error log, (/var/log/httpd/error_log_ and see what directories > the IIS servers are looking for,,, then create those directories and put the > php script in there.. > > I have versions of it called Admin.dll, root.exe, default.ida and cmd.exe in > each created directory structure... > > all the php script does, is open linx to the url of the server and issue the > shutdown code to root.exe on that box, (I figure any box that now has nimda > previously had CoderedII and will still have root.exe, seems to be true > too... > > hope this helps.. > > I don't know of the legalities of the shutdown code, but I look at it this > way,, I just put the file on my server, I am not infecteding anyone with it, > if their servers request it, thats their problem, not mine,, > > I could just as easily but a bat file up for download that said "format c:\" > or something similiar on my server and if someone was dumb enough to > download and run it, its not my problem because I didn't infect them, they > downloaded it. > > same diff with the stop server php script, it is on my server alone, I don't > promote it, if a infected server comes to mine and grabs it,, that is not my > problem,, I held of doing this for ages in the hope that it will stop, but I > am now going to get a huge ISP bill for my permanent connection and what do > I do,?? charge it to the infected servers???? > > They wouldn't pay even if I could get them all,,, ,(most of the pages on > those servers are default NT/2000 iis pages, meaning that the people don't > even know they are running a web server...) > > if shutting down their server, (rather then hacking and damageing it, or > leaving it up so that others can.) does not get their attention and get them > patched,,, then nothing does.. I view this as doing them a favour as if > there server gets shutdown, then other nasty types can't use the root.exe to > install back doors and such. > > does anyone else have an opinion on this?? > > rgds > > Frank > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Johnson > Sent: Friday, 21 September 2001 9:57 PM > To: LinuxNewbie (E-mail) > Subject: [newbie] These windows viruses(sp?) pain for linux users too... > > > > You know how these Code Red and Code Blue and Nimbda virus's are affecting > me as a linux user -- they are eating my bandwidth and trashing my weblogs. > I can't play UT tournament anymore because it's killing my response time and > connecting to the newserver and reading news has become painfully slow. > > If I open up port 80 on my firewall my weblogs are flooded with these > viruses. A lot of the ip addresses are coming from my ISPs subnet. Is > there anyway that I can let my ISP know about this and have then contact the > people infected by these viruses to let me know. I would imagine that they > already know about it. How can we get this stuff cleaned up? > > > Will this insanity ever end? > > > > -- Sridhar Dhanapalan. "There are two major products that come from Berkeley: LSD and UNIX. We don't believe this to be a coincidence." -- Jeremy S. Anderson
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
