Since many of the big ISP's are running transparent proxies (all
outbound web requests from clients go through them), I hope they are
adding filters for these requests and dropping them at the source.
I think the FBI should be investigating Microsoft employees and
contractors. What better place
I just want it to stop sucking my bandwidth and filling my access
logs, so I took a totally different approach in minimizing the
problem.
On just one of my machines, I have 5 hosts each on it's own IP.
I added a 6's server that only listens to local connections. On
the 5 main servers, I have re
Jim Wilcoxson wrote:
>
> Here's another version:
I was thinking you might also need a trace filter break.
I placed the following script in the private tcl/init.tcl file, to
ensure that it is the first filter that runs, however, it seems that
the rp_filter is still executing at least to run ad_pe
It appears that delaying this worm on one system is effective, but it is
multi-threaded to some extent because a single attacker is simultaneously
attacking a couple of our machines.
I have 3 "in jail" on one server, 7 on another, and 3 on another...
Jim
> The attack code isn't multi-threaded:
Here's another version:
http://www.rubylane.com/public/nimda.tcl.txt
This adds a 60-second delay before the redirect and has a maximum # of
connections that will be "held up" on your server. I have our server
set to hold up to 10 attackers. Once this limit is exceeded the
redirect is issued im
The web server will respond with some amount of traffic. I'd imagine the
302 redirect response would be shorter, overall, than a 404 response with
a "not found" page--especially if the site has a custom 404 page.
If the worm actually follows the redirect it will end up talking to itself
and, hen
coxson
> Sent: Tuesday, September 18, 2001 1:14 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [AOLSERVER] Code Rainbow attacks
>
>
> Try installing this in your modules/tcl directory:
>
> # procedure to reflect nimda virus calls to (maybe) crash the attacker
> instead
> ns_
> From: AOLserver Discussion [mailto:[EMAIL PROTECTED]]On Behalf
> Of Jim Wilcoxson
> Sent: Tuesday, September 18, 2001 1:14 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [AOLSERVER] Code Rainbow attacks
>
> Try installing this in your modules/tcl directory:
>
> # procedure to
Discussion [mailto:[EMAIL PROTECTED]]On Behalf
Of Jim Wilcoxson
Sent: Tuesday, September 18, 2001 1:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [AOLSERVER] Code Rainbow attacks
Try installing this in your modules/tcl directory:
# procedure to reflect nimda virus calls to (maybe) crash the attacker
instead
I was thinking: maybe disabling the attacking machine is bad and would
make the situation worse. Although it seems that if the virus already
has control of the attacking machine, disabling it at some point would
be on the agenda anyway...
>
> Oops - has a bug: should be "return filter_return" at
Oops - has a bug: should be "return filter_return" at the end... -Jim
>
> Try installing this in your modules/tcl directory:
>
> # procedure to reflect nimda virus calls to (maybe) crash the attacker instead
> ns_log notice "loading nimda.tcl"
> ns_register_filter preauth GET /scripts/* nimda
>
Try installing this in your modules/tcl directory:
# procedure to reflect nimda virus calls to (maybe) crash the attacker instead
ns_log notice "loading nimda.tcl"
ns_register_filter preauth GET /scripts/* nimda
proc nimda {conn ignore} {
set req [ns_conn request]
set reqlist [split $req " "]
The 3 systems that hit me were running web servers - I checked.
@Home recently added filters to prevent public access to a web server
running on port 80. That's really nice. Since this virus appears to
enter via email, if it attacks the local web server first, then the
attacking host is protect
And still more information is at
http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert
I had a crazy idea: what if we returned a redirect back to their own IP
address with the same URL? Would they attack themselves?
Or maybe this is coming from Windows PC's that aren't running a web
server at all - just a virus client...
J
We're getting them too, although little effect other than annoying.
More info: http://news.cnet.com/news/0-1003-200-7215349.html?tag=lthd
I received an email on the 17th (which I ignored with elm) with
these headers:
SUBJECT: Program's files, including this
X-MSMail-Priority: Normal
X-Priority:
Right. Well, code red just tried one URL. This one checks about a
hundred places per attacking host to see if you're vulnerable.
It's actually slowing things down on our websites pretty noticably.
--
Rusty Brooks : http://www.rustybrooks.org/
Spewi
Rusty Brooks wrote:
>
> > this is just too annoying.
Hmm, I seem to be getting thousands of requests as well.
This is definitely different than codered.
--Tom Jackson
> this is just too annoying.
Indeed. Hasn't anyone ever heard of doing a head to see if you're
attacking a real IIS server before sending a few hundred requests?
Rusty
--
Rusty Brooks : http://www.rustybrooks.org/
Spewing wisdom from every orifice
--
I just went to one of the security web sites and
here is what they had in the front page
cut
A new, malicious worm targeting Microsoft Web servers is in the wild
and is frenetically scanning the Internet, security experts said today.
Starting this morning, numerous system administrators h
20 matches
Mail list logo
