Hello ,
I'm developing a warehouse application with aolserver that will define
over 5000 read-write locks from the beggining for a database with 5000
products.
I have tried and it seems it works.
Is there any problem that could appear?
Is there any other method in order to define a fine-grained
Jim Wilcoxson wrote:
>
> Here's another version:
I was thinking you might also need a trace filter break.
I placed the following script in the private tcl/init.tcl file, to
ensure that it is the first filter that runs, however, it seems that
the rp_filter is still executing at least to run ad_pe
It appears that delaying this worm on one system is effective, but it is
multi-threaded to some extent because a single attacker is simultaneously
attacking a couple of our machines.
I have 3 "in jail" on one server, 7 on another, and 3 on another...
Jim
> The attack code isn't multi-threaded:
Here's another version:
http://www.rubylane.com/public/nimda.tcl.txt
This adds a 60-second delay before the redirect and has a maximum # of
connections that will be "held up" on your server. I have our server
set to hold up to 10 attackers. Once this limit is exceeded the
redirect is issued im
The web server will respond with some amount of traffic. I'd imagine the
302 redirect response would be shorter, overall, than a 404 response with
a "not found" page--especially if the site has a custom 404 page.
If the worm actually follows the redirect it will end up talking to itself
and, hen
No, not sure that returning a redirect is a good thing. Someone would
need to verify that this does in fact disable the thing.
A better option might be to add a 5-second delay before the redirect.
The time delay would depend on how often you are getting hit, how
many connections you can afford t
It wouldn't double network traffic, as the virus would be attacking the local
host. With any luck the attacking hosts will DoS themselves, saving the rest of
us the trouble.
Almost makes me want to preemptively strike any IIS host *I* run across. Sigh.
Chuck Kimber wrote:
> The problem with d
The problem with doing this is that this thing is already causing DoS
symptoms on the internet due to the massive amount of traffic it is causing.
Returning it will only double network traffic. Are you sure you want to add
to the problem?
Chuck
-Original Message-
From: AOLserver Discuss
I was thinking: maybe disabling the attacking machine is bad and would
make the situation worse. Although it seems that if the virus already
has control of the attacking machine, disabling it at some point would
be on the agenda anyway...
>
> Oops - has a bug: should be "return filter_return" at
Oops - has a bug: should be "return filter_return" at the end... -Jim
>
> Try installing this in your modules/tcl directory:
>
> # procedure to reflect nimda virus calls to (maybe) crash the attacker instead
> ns_log notice "loading nimda.tcl"
> ns_register_filter preauth GET /scripts/* nimda
>
Try installing this in your modules/tcl directory:
# procedure to reflect nimda virus calls to (maybe) crash the attacker instead
ns_log notice "loading nimda.tcl"
ns_register_filter preauth GET /scripts/* nimda
proc nimda {conn ignore} {
set req [ns_conn request]
set reqlist [split $req " "]
The 3 systems that hit me were running web servers - I checked.
@Home recently added filters to prevent public access to a web server
running on port 80. That's really nice. Since this virus appears to
enter via email, if it attacks the local web server first, then the
attacking host is protect
And still more information is at
http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert
I had a crazy idea: what if we returned a redirect back to their own IP
address with the same URL? Would they attack themselves?
Or maybe this is coming from Windows PC's that aren't running a web
server at all - just a virus client...
J
We're getting them too, although little effect other than annoying.
More info: http://news.cnet.com/news/0-1003-200-7215349.html?tag=lthd
I received an email on the 17th (which I ignored with elm) with
these headers:
SUBJECT: Program's files, including this
X-MSMail-Priority: Normal
X-Priority:
Right. Well, code red just tried one URL. This one checks about a
hundred places per attacking host to see if you're vulnerable.
It's actually slowing things down on our websites pretty noticably.
--
Rusty Brooks : http://www.rustybrooks.org/
Spewi
Rusty Brooks wrote:
>
> > this is just too annoying.
Hmm, I seem to be getting thousands of requests as well.
This is definitely different than codered.
--Tom Jackson
> this is just too annoying.
Indeed. Hasn't anyone ever heard of doing a head to see if you're
attacking a real IIS server before sending a few hundred requests?
Rusty
--
Rusty Brooks : http://www.rustybrooks.org/
Spewing wisdom from every orifice
--
I just went to one of the security web sites and
here is what they had in the front page
cut
A new, malicious worm targeting Microsoft Web servers is in the wild
and is frenetically scanning the Internet, security experts said today.
Starting this morning, numerous system administrators h
this is the same thing I emailed about earlier
except the attacks I am getting are coming from 216.x.x.x
(also same as me)
I think this is more deliberate since it cannot
be filtered from your routers since you risk
cutting yourself off the internet.
like you I'm getting more than one every sec
Grab Daniels Ns/Admin code at www.scriptkitties.com it lets you do that and
live edit a .tcl file..
--
Patrick Spence, Network Administrator
Information System Dept.
2401 South 24th Street, Phoenix, AZ 85034
[EMAIL PROTECTED] - http://www.vitamist.com
- Original Message -
From: "Br
Hmm. I've gotten 10,000 of them *today*. Yesterday, none.
They're almost all from 66.12.* addresses (verizon dsl in california, same
as me). This is where most of my code red attacks are (still) coming
from, probably because there's a lot of people running IIS who aren't
really even aware of i
Hi,
I've looked at the documentation and the mailing list archives and
have had no luck with this.
My question is:
if I add or change a TCL library procedure (in the /tcl directory next to
the pageroot), is there a way to force AOLserver to source it without a
restart?
Thanks!
regards,
B
it's an iis remote command execution exploit. it worked pretty well, the
patch has been out for months, though.
dave
On Tue, 18 Sep 2001, Freddie Mendoza wrote:
> Anyone seen these in their logs lately
>
> 216.129.13.39 - - [18/Sep/2001:08:20:19 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir
>HT
Anyone seen these in their logs lately
216.129.13.39 - - [18/Sep/2001:08:20:19 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 212 "" ""
216.129.13.39 - - [18/Sep/2001:08:20:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 212 "" ""
216.95.249.5 - - [18/Sep/2001:08:24:22
25 matches
Mail list logo
