I think the best response would be to login using
the telnet backdoor, delete the IIS EXE and/or DLLs
(or better - just delete the %windir%\System32\idq.dll
if that stops it?) then force a reboot - even without
a reboot, the next time they did reboot the problem
would go away - and hell, windows servers don't run for
very long without requiring a reboot do they? :-)
Now I'm sure it could automated this from the access_log
:-)
Anyone got the time and the inclination to do this?
I would actually suggest that we should be quite within
our rights to do this!
Hmmm ... I might have a quick look at what's involved ...
Certainly worth posting to the general internet if someone
did it :-)
If I actually run over my usage limit for this or next
month ... very unlikely, but ... then effectively I am
paying money because of the IDIOTS that run these STUPID
MS IIS servers and don't have even half a brain to work
out what is going on or to fix it up.
But I didn't say that did I? :-)
-Cheers
-Andrew
--
MS ... if only he hadn't been hang gliding!
> From: "Stephen Carville" <[EMAIL PROTECTED]>
>
>> On Mon, 6 Aug 2001, Alejandro Gonz�lez Hern�ndez - Imoq wrote:
>>
>> - Hi!
>> -
>> - I seem to be getting a kind of web exploit in my server. I have
>> noticed - this in error_log since two days ago (I'll past just a
>> little bit of the - file, of course):
>>
>> Code Red Worm. It is an IIS exploit that is looking for more sites to
>> subvert.
>>
>> I am sorely tempted to throw together a Perl script to extract the
>> addresses, get the MX record for the domain and send of an email to
>> usual names asking them fix their f**king servers. Won't do any good
>> of course.
>
> Stephen, sending email to the wrong place will never do any good. It is
> a really twittish response. At the very least access the website thus
> revealed. You'll find that most of them are home machines that do not
> even have IIS fully installed enough to display the canned example web
> site. Until all or almost all machines are cleaned up the problem will
> not go away. (And backdoors will exist on a simply amazing number of
> machines.)
>
> {^_^}
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
