RE: OT (maybe) : Code Red -email the server admins
There are already similar efforts out there. ] Step 1, read the "fightBack" link on this site. http://www.dshield.org/ Step 2, move this conversation over to CF-Community. -Cameron Cameron Childress elliptIQ Inc. p.770.460.1035.232 f.770.460.0963 -- http://www.neighborware.com America's Leading Community Network Software > -Original Message- > From: Mark W. Breneman [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 10, 2001 12:51 PM > To: CF-Talk > Subject: RE: OT (maybe) : Code Red -email the server admins > > > I realize that you were joking. But... with a little work and a bit of CF > coding a reverse look up that emails the server admin of the attacking > server could be made. > > Parse through the IIS log file looking for the request for the > /default.ida > xxx///. With a little reverse look-up on the IP address of > the request > and then send mail to postmaster, webmaster, etc you could notify these > server Admins of the problem. Note, you will not be able to get > enough info > on all of the IP address of the server. They would get an email > per attempt > that may add up to a lot of mail given time and chances are alot of people > that get the mail may not even be associated with the web server. > (i.e. our > DLS provider would get the emails for our office static IP > address.) So, if > you were to do this you could get a bit of hate mail. > > Any ideas or thoughts? If I had more free time I would think about doing > this. > > Mark W. Breneman > -Cold Fusion Developer > -Network Administrator > Vivid Media > [EMAIL PROTECTED] > www.vividmedia.com > 608.270.9770 > > > > -----Original Message----- > From: Justin Greene [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 10, 2001 7:47 AM > To: CF-Talk > Subject: RE: OT (maybe) : Code Red > > > Anyone know whether the exploit being used by code red could be used to > launch a counter exploit on the infected system that patches the machine > :-). > > Justin > > -Original Message- > From: webmaster [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 07, 2001 9:54 PM > To: CF-Talk > Subject: OT (maybe) : Code Red > > I don't know about the rest of you who host web sites, but we're still > getting slammed with Code Red attempts - it's been even worse since the > variant came out on Saturday. > > I was wondering if anyone had worked out a way to automatically notify the > site administrators ? > > When we got hit by a site called ezsecurehosting.com I figured it's about > time something got done. > > Any suggestions ? > > Richard > Y2K Internet Technologies > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: OT (maybe) : Code Red -email the server admins
I realize that you were joking. But... with a little work and a bit of CF coding a reverse look up that emails the server admin of the attacking server could be made. Parse through the IIS log file looking for the request for the /default.ida xxx///. With a little reverse look-up on the IP address of the request and then send mail to postmaster, webmaster, etc you could notify these server Admins of the problem. Note, you will not be able to get enough info on all of the IP address of the server. They would get an email per attempt that may add up to a lot of mail given time and chances are alot of people that get the mail may not even be associated with the web server. (i.e. our DLS provider would get the emails for our office static IP address.) So, if you were to do this you could get a bit of hate mail. Any ideas or thoughts? If I had more free time I would think about doing this. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Justin Greene [mailto:[EMAIL PROTECTED]] Sent: Friday, August 10, 2001 7:47 AM To: CF-Talk Subject: RE: OT (maybe) : Code Red Anyone know whether the exploit being used by code red could be used to launch a counter exploit on the infected system that patches the machine :-). Justin -Original Message- From: webmaster [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 07, 2001 9:54 PM To: CF-Talk Subject: OT (maybe) : Code Red I don't know about the rest of you who host web sites, but we're still getting slammed with Code Red attempts - it's been even worse since the variant came out on Saturday. I was wondering if anyone had worked out a way to automatically notify the site administrators ? When we got hit by a site called ezsecurehosting.com I figured it's about time something got done. Any suggestions ? Richard Y2K Internet Technologies ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: OT (maybe) : Code Red
> Anyone know whether the exploit being used by code red could be used > to launch a counter exploit on the infected system that patches the > machine :-). Uh, you could do that, but I wouldn't recommend it, nor is this the appropriate place to debate the use of "friendly" worms. I know several people who are simply parsing their log files, then sending messages to people with infected machines if they can find contact info. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: OT (maybe) : Code Red
> Anyone know whether the exploit being used by code red could > be used to > launch a counter exploit on the infected system that patches > the machine > :-). You should go fishing with a can of worms like that :-) ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: OT (maybe) : Code Red
Anyone know whether the exploit being used by code red could be used to launch a counter exploit on the infected system that patches the machine :-). Justin -Original Message- From: webmaster [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 07, 2001 9:54 PM To: CF-Talk Subject: OT (maybe) : Code Red I don't know about the rest of you who host web sites, but we're still getting slammed with Code Red attempts - it's been even worse since the variant came out on Saturday. I was wondering if anyone had worked out a way to automatically notify the site administrators ? When we got hit by a site called ezsecurehosting.com I figured it's about time something got done. Any suggestions ? Richard Y2K Internet Technologies ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: OT (maybe) : Code Red
Good Point. I've been sending out e-mails when blackice gave me a good name resolution, and have had some replies back - mostly apologetic, although one person informed me that I was crazy, that he had norton and therefore no way could he have a virues and suggested that I do something anotomically impossible to myself.. Ho Hum. I just wonder how much bandwidth/resource loss we all suffer from this damned worm. - Original Message - From: "Thomas Chiverton" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, August 08, 2001 4:39 AM Subject: RE: OT (maybe) : Code Red > > Any suggestions ? > > snort, perl, /bin/mail :-) > > But seriosuly - you think if their *still* not patched they'll care about > you sending them an email ? > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: OT (maybe) : Code Red
Thomas Chiverton wrote: > > But seriosuly - you think if their *still* not patched they'll care about > you sending them an email ? That is exactly why you should go for the ARIN/RIPE/APNIC solution and inform their upstream provider. Every AUP I know has some provision that gives upstream providers the right to kill all traffic to and from a system when that system is hacking others. Jochem ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: OT (maybe) : Code Red
> Any suggestions ? snort, perl, /bin/mail :-) But seriosuly - you think if their *still* not patched they'll care about you sending them an email ? ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: OT (maybe) : Code Red
webmaster wrote: > I don't know about the rest of you who host web sites, but we're still getting >slammed with Code Red attempts - it's been even worse since the variant came out on >Saturday. > > I was wondering if anyone had worked out a way to automatically notify the site >administrators ? > > When we got hit by a site called ezsecurehosting.com I figured it's about time >something got done. > > Any suggestions ? How about: map .ida to ColdFusion create a page default.ida on that page do a cfmail to postmaster@#cgi.remote_addr# If you want to make it better, run the IP address through RIPE/ARIN/APNIC and get the email address from their upstream provider there. Then send an automated email to them. Just make sure you keep a log of what you send to whom, so you don't hammer providers with an email every second. Warning: on systems not patched but where the .ida extension is not present I don't know whether the solution above would introduce the vulnerability. Of course that only applies to IIS ;) Jochem ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists