Hmm. I've gotten 10,000 of them *today*. Yesterday, none.
They're almost all from 66.12.* addresses (verizon dsl in california, same
as me). This is where most of my code red attacks are (still) coming
from, probably because there's a lot of people running IIS who aren't
really even aware of
Grab Daniels Ns/Admin code at www.scriptkitties.com it lets you do that and
live edit a .tcl file..
--
Patrick Spence, Network Administrator
Information System Dept.
2401 South 24th Street, Phoenix, AZ 85034
[EMAIL PROTECTED] - http://www.vitamist.com
- Original Message -
From:
this is just too annoying.
Indeed. Hasn't anyone ever heard of doing a head to see if you're
attacking a real IIS server before sending a few hundred requests?
Rusty
--
Rusty Brooks : http://www.rustybrooks.org/
Spewing wisdom from every orifice
Right. Well, code red just tried one URL. This one checks about a
hundred places per attacking host to see if you're vulnerable.
It's actually slowing things down on our websites pretty noticably.
--
Rusty Brooks : http://www.rustybrooks.org/
The web server will respond with some amount of traffic. I'd imagine the
302 redirect response would be shorter, overall, than a 404 response with
a not found page--especially if the site has a custom 404 page.
If the worm actually follows the redirect it will end up talking to itself
and,
Here's another version:
http://www.rubylane.com/public/nimda.tcl.txt
This adds a 60-second delay before the redirect and has a maximum # of
connections that will be held up on your server. I have our server
set to hold up to 10 attackers. Once this limit is exceeded the
redirect is issued
It appears that delaying this worm on one system is effective, but it is
multi-threaded to some extent because a single attacker is simultaneously
attacking a couple of our machines.
I have 3 in jail on one server, 7 on another, and 3 on another...
Jim
The attack code isn't multi-threaded: if
Jim Wilcoxson wrote:
Here's another version:
I was thinking you might also need a trace filter break.
I placed the following script in the private tcl/init.tcl file, to
ensure that it is the first filter that runs, however, it seems that
the rp_filter is still executing at least to run