Re: [newbie] Nimda
Hello, would anyone know where I can find a script that would shut down or stop a nimda infected server? I can no longer tolerate this nimda, blocking does not work, there are some addresses that still get though and I don't know how the little buggers do it, so I want to make my web server send back a command that will shut off the infected server. Thanks to those that can help. Ibly Ibly, Do an archive search for a thread on HoneyPort. I believe you'll find it on the expert archive. You can also find some information if you do a search for Labrea Tarpit on Google. That should help you in what you're looking to do. It will at least trap the incoming connection attempt and keep it from sucking up yer bandwidth/server resources. However, it won't send a term signal back to the offending computer. For that you're going to have to do a little more searching on Google. But those programs are out there. You may also find a few references to programs such as this in the expert archives if you search long enough. Mark Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Nimda
This also goes back to the heart of whether or not it is legal / ethical to shut someone's system down. Blocking access is one thing, trying to shut a server down is quite another in my opinion. I actually did have a script running that would sucessfully block out pretty close to 100% of all nimda related infection attempts via ipchains / hosts.deny . On any server I run, I'm certainly not going to try to shut down the server attempting to infect me. If I did so, I'd be opening myself up to a potential lawsuit from the company running the infected server. Send an e-mail to their admin, or block off their access, but don't shut their machine down. It's a legally questionable move to do that. Michael -- Michael Viron [EMAIL PROTECTED] Core Systems Group Simple End User Linux At 07:10 AM 4/29/2002 -0400, you wrote: Hello, would anyone know where I can find a script that would shut down or stop a nimda infected server? I can no longer tolerate this nimda, blocking does not work, there are some addresses that still get though and I don't know how the little buggers do it, so I want to make my web server send back a command that will shut off the infected server. Thanks to those that can help. Ibly Ibly, Do an archive search for a thread on HoneyPort. I believe you'll find it on the expert archive. You can also find some information if you do a search for Labrea Tarpit on Google. That should help you in what you're looking to do. It will at least trap the incoming connection attempt and keep it from sucking up yer bandwidth/server resources. However, it won't send a term signal back to the offending computer. For that you're going to have to do a little more searching on Google. But those programs are out there. You may also find a few references to programs such as this in the expert archives if you search long enough. Mark Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Nimda
Hello, would anyone know where I can find a script that would shut down or stop a nimda infected server? I can no longer tolerate this nimda, blocking does not work, there are some addresses that still get though and I don't know how the little buggers do it, so I want to make my web server send back a command that will shut off the infected server. Thanks to those that can help. Ibly __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] Nimda Related question again.
if you have open shares on all of the windoze PC's, then the chances are they are all putting them there.. That is one of the ways that Nimda spreads... it looks around for other open shares.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, 1 October 2001 5:45 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [newbie] Nimda Related question again. Hi!... What I've got is this. I'm got a machine running Samba on a Windoze Network. There are a few Windoze machien who have mapped the share on the Linux box. Ive now had a few (*.eml) files appearing on those shares in the Linux box. I've been clearing them out a few times a day, no problem. No all steps have been taken to make sure all machine are properly virus protected, what I want to know is..is there a log file on the LNX box which will state which machine (either IP or NB-Name) wrote these files to the share?... Thanks in advance. Brett. This email sent from Infinity Online Webemail: www.i-o.net.au Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Nimda Related question again.
Hi!... What I've got is this. I'm got a machine running Samba on a Windoze Network. There are a few Windoze machien who have mapped the share on the Linux box. Ive now had a few (*.eml) files appearing on those shares in the Linux box. I've been clearing them out a few times a day, no problem. No all steps have been taken to make sure all machine are properly virus protected, what I want to know is..is there a log file on the LNX box which will state which machine (either IP or NB-Name) wrote these files to the share?... Thanks in advance. Brett. This email sent from Infinity Online Webemail: www.i-o.net.au Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Nimda virus
On Tuesday 25 September 2001 22:27, you wrote: The Javascript method is only a problem if you use any IE version below 6. Of course, the media seems to think the whole world uses IE too. =) And sadly, my server logs say they're right. Sheep, meet cliff... jump. As a matter of interest. Do your server logs tell you if a user accesses your site using a browser which identifies itself as Internet Explorer like Opera does? And how does Konqueror identify itself? Would anyone even know if these minority browsers were gaining popularity? Content-Type: text/plain; charset=us-ascii; name=message.footer Content-Transfer-Encoding: 8bit Content-Description: Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Nimda virus
Arthur H. Johnson II wrote: Consider the Source. The FBI is somewhat dumb in these matters, at least the upper echelon is, being the polititians they are. I don't think its NPR's fault. We need to write to NPR and the FBI. Anybody have email addresses. (Last time I tried to email the FBI I couldn't find an address -- they state they will not accept email.) Randy Kramer On Tue, 18 Sep 2001, Miark wrote: I caught the tail end of an FBI warning on NPR today that said the Nimda virus affects all Internet computers. That rubs me the wrong way because, as I read later at CNet, it doesn't affect our penguins (as usual). I think the popular media needs to be more careful the way they report these things. http://news.cnet.com/news/0-1003-200-7215349.html Miark -- Arthur H. Johnson II [EMAIL PROTECTED] The Linux Box http://www.linuxbox.nu --- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Nimda virus
- Original Message - From: Randy Kramer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 11:07 AM Subject: Re: [newbie] Nimda virus Arthur H. Johnson II wrote: Consider the Source. The FBI is somewhat dumb in these matters, at least the upper echelon is, being the polititians they are. I don't think its NPR's fault. We need to write to NPR and the FBI. Anybody have email addresses. (Last time I tried to email the FBI I couldn't find an address -- they state they will not accept email.) Randy Kramer They probably run M$ servers and realize the risk just isn't worth it ;-) Miark On Tue, 18 Sep 2001, Miark wrote: I caught the tail end of an FBI warning on NPR today that said the Nimda virus affects all Internet computers. That rubs me the wrong way because, as I read later at CNet, it doesn't affect our penguins (as usual). I think the popular media needs to be more careful the way they report these things. http://news.cnet.com/news/0-1003-200-7215349.html Miark -- Arthur H. Johnson II [EMAIL PROTECTED] The Linux Box http://www.linuxbox.nu --- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] Nimda virus
But they are right, it DOES affect all internet connected computers... My linux boxes have had their bandwidth chewed up by four thousand Nimda servers infected with IIS (no I didn't get it around the wrong way,, thats what I meant.) rgds Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Randy Kramer Sent: Wednesday, 26 September 2001 1:07 AM To: [EMAIL PROTECTED] Subject: Re: [newbie] Nimda virus Arthur H. Johnson II wrote: Consider the Source. The FBI is somewhat dumb in these matters, at least the upper echelon is, being the polititians they are. I don't think its NPR's fault. We need to write to NPR and the FBI. Anybody have email addresses. (Last time I tried to email the FBI I couldn't find an address -- they state they will not accept email.) Randy Kramer On Tue, 18 Sep 2001, Miark wrote: I caught the tail end of an FBI warning on NPR today that said the Nimda virus affects all Internet computers. That rubs me the wrong way because, as I read later at CNet, it doesn't affect our penguins (as usual). I think the popular media needs to be more careful the way they report these things. http://news.cnet.com/news/0-1003-200-7215349.html Miark -- Arthur H. Johnson II [EMAIL PROTECTED] The Linux Box http://www.linuxbox.nu --- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Nimda virus
Consider the Source. The FBI is somewhat dumb in these matters, at least the upper echelon is, being the polititians they are. I don't think its NPR's fault. On Tue, 18 Sep 2001, Miark wrote: I caught the tail end of an FBI warning on NPR today that said the Nimda virus affects all Internet computers. That rubs me the wrong way because, as I read later at CNet, it doesn't affect our penguins (as usual). I think the popular media needs to be more careful the way they report these things. http://news.cnet.com/news/0-1003-200-7215349.html Miark -- Arthur H. Johnson II [EMAIL PROTECTED] The Linux Box http://www.linuxbox.nu Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Nimda virus
The Javascript method is only a problem if you use any IE version below 6. Of course, the media seems to think the whole world uses IE too. =) And sadly, my server logs say they're right. Sheep, meet cliff... jump. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] Nimda virus
So??? do you know how many drivers were missing from windows 2000 and ME ??? I still have cards and stuff that don't have 2000 drivers here what is your point (Also, windows 2000 needed a 300mhz cpu to run half decent.. and XP neeeds more and at least 128mb ram as a bare minimium...??? (as opposed to mandrake linux, which will run on a penntium 100 with 32 mb of ram...(albiet slowly) The simple fact of the matter is that many people ARE using linux to replace windows the easy side of things is most likely app software,, not the OS itself,, windows can't take credit for the majority of their software either... rgds frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Manuel Drake Sent: Wednesday, 26 September 2001 5:08 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [newbie] Nimda virus BTW, I did write to the author suggesting he may want to tell his readers that an alternative to Windows exists (Linux). He wrote back to say such an article is already in the works and may be out early next week. I'd love to agree with this assessment, but as I'm not exactly a moron, and am *still* stuck in the mud getting my Mandrake 8.0 distribution to do all that windows did for me (effortlessly). Please understand, I'd *really* love to agree with this, but unfortunately, even mandrake is not all that error free, ie, still not an alternative to windows. My latest lunacy, installed Mandrake 8 on a brandy new 1.2G Tbird system for my neighbor, and though networking went ok, and I got X running passably, come to find out that esd won't support his on-board audio, so it's either another card, or back to RH7.1 which *did* for some reason support his audio. One of these days though... For now, it would suffice to say that all the winservers should just give up and shut down for linux replacement... and take our pain away as well as their own. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Nimda virus
Many major companies are stating that WinXP will need 256MB of RAM to run well. It should be remembered that hardware manufacturers primarily design their products for Windos. Support for most hardware in GNU/Linux (including drivers) is more often than not the result of much perspiration on the part of open source reverse-engineers, who usually reveive _no_ help whatsoever from the manufacturers. On Wed, 26 Sep 2001 11:54:36 +0800, Franki [EMAIL PROTECTED] wrote: So??? do you know how many drivers were missing from windows 2000 and ME ??? I still have cards and stuff that don't have 2000 drivers here what is your point (Also, windows 2000 needed a 300mhz cpu to run half decent.. and XP neeeds more and at least 128mb ram as a bare minimium...??? (as opposed to mandrake linux, which will run on a penntium 100 with 32 mb of ram...(albiet slowly) The simple fact of the matter is that many people ARE using linux to replace windows the easy side of things is most likely app software,, not the OS itself,, windows can't take credit for the majority of their software either... rgds frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Manuel Drake Sent: Wednesday, 26 September 2001 5:08 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [newbie] Nimda virus BTW, I did write to the author suggesting he may want to tell his readers that an alternative to Windows exists (Linux). He wrote back to say such an article is already in the works and may be out early next week. I'd love to agree with this assessment, but as I'm not exactly a moron, and am *still* stuck in the mud getting my Mandrake 8.0 distribution to do all that windows did for me (effortlessly). Please understand, I'd *really* love to agree with this, but unfortunately, even mandrake is not all that error free, ie, still not an alternative to windows. My latest lunacy, installed Mandrake 8 on a brandy new 1.2G Tbird system for my neighbor, and though networking went ok, and I got X running passably, come to find out that esd won't support his on-board audio, so it's either another card, or back to RH7.1 which *did* for some reason support his audio. One of these days though... For now, it would suffice to say that all the winservers should just give up and shut down for linux replacement... and take our pain away as well as their own. -- Sridhar Dhanapalan. There are two major products that come from Berkeley: LSD and UNIX. We don't believe this to be a coincidence. -- Jeremy S. Anderson Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] Nimda virus
yeah, who is going to release a virus that only propogates one way now??? This is the start of some really nasty virus's we will start seeing now... The writers know that alot of people have protection now, and that means they need to reach as many people as possible before the virus companies release the pattern updates... So using miltiple methods of propagation speeds things up no end... A sad day for software in general and Microsnot software in particular. rgds Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Leone Sent: Friday, 21 September 2001 10:35 AM To: Newbie Mailing List Subject: Re: [newbie] Nimda virus From: David E. Fox [EMAIL PROTECTED] The closing sentence of a San Francisco Chronicle writeup on the virus said that server users should contact Microsoft for patches :). It's yet another instance of the Outlook Virus Transmission software. Not quite. Nimda can and does propogate via Outlook attachments, and embedded HTML; However it *also* propogates as Javascript on infected web pages, which has no dependency on Outlook (altho does depend on MS's IIS web server to house it's infection). Also, it can spread across MS network shares, again with no dependence on Outlook. Nimda is REALLY thorough in exploiting many ways to propogate. -- -- Michael J. Leone Registered Linux user #201348 mailto:[EMAIL PROTECTED]ICQ: 50453890 AIM: MikeLeone PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF PGP public key: http://www.mike-leone.com/~turgon/turgon-public-key.gpg Taking a mental stroll through the psychic park of pleasure. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Nimda virus
From: David E. Fox [EMAIL PROTECTED] The closing sentence of a San Francisco Chronicle writeup on the virus said that server users should contact Microsoft for patches :). It's yet another instance of the Outlook Virus Transmission software. Not quite. Nimda can and does propogate via Outlook attachments, and embedded HTML; However it *also* propogates as Javascript on infected web pages, which has no dependency on Outlook (altho does depend on MS's IIS web server to house it's infection). Also, it can spread across MS network shares, again with no dependence on Outlook. Nimda is REALLY thorough in exploiting many ways to propogate. -- -- Michael J. Leone Registered Linux user #201348 mailto:[EMAIL PROTECTED]ICQ: 50453890 AIM: MikeLeone PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF PGP public key: http://www.mike-leone.com/~turgon/turgon-public-key.gpg Taking a mental stroll through the psychic park of pleasure. PGP signature
Re: [newbie] Nimda virus
On Wednesday 19 September 2001 04:45, you wrote: I caught the tail end of an FBI warning on NPR today that said the Nimda virus affects all Internet computers. That rubs me the wrong way because, as I read later at CNet, it doesn't affect our penguins (as usual). I think the popular media needs to be more careful the way they report these things. This would be great but it isnt possible :) But take heart it happens to everybody, not just linux. Our local TV recently reported on the dealy mennigoccocal virus! The media arent really interested in factual information. The trick is to take what you read lightly and find reliable sources of info. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Nimda virus
I caught the tail end of an FBI warning on NPR today that said the Nimda virus affects all Internet computers. That rubs me the wrong way because, as I read later at CNet, it doesn't affect our penguins (as usual). I think the popular media needs to be more careful the way they report these things. http://news.cnet.com/news/0-1003-200-7215349.html Miark Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com