No subject
Tue Dec 2 02:44:59 GMT 2003
---------------
[root at firefly httpd]# for i in 00 01 02 03 04 05 09 10 11 12 13 14 15 16
17 ; do> echo -n "$i: "; grep -c
"07/Aug/2001\:$i.*GET.*XXXXXXXXX" *access* | cut -f 2 -d ':' |
~/bin/sigma.pl
> done
00: 8
01: 11
02: 6
03: 6
04: 39
05: 14
09: 14
10: 14
11: 12
12: 12
13: 18
14: 12
15: 15
16: 15
17: 0
[root at firefly httpd]#
---------
The others are similar.
You should have a look at the spreading mechanism for the code. I haven't
really thought about the effects of the way it perturbs the address ranges
it attacks, but I think if there is someone with a whole slew of
infected machines with a different-third-bit-of-dotted-quad as your
network then you can expect a lot of hits.
> - In a sense we're paying for this traffic, so I was wondering if anyone
> had had any luck trying to convince their upstream provider to block the
> traffic.
Some example rules were posted to bugtraq.
> - are we allowed to do smurf type attacks on offending machines to try to
> disable thier IP stacks?
Technically, yes. Legally, almost certainly not :-)
There is an easier way that smurfing. Remember that this virus installs a
trojan _and_ drops cmd.exe into a scripts directory :-)
Non-working example:
--
telnet victim.com 80
GET /root.exe HTTP/1.0
Host: victim.com
deltree c:\
--
One less machine for someone to disinfect, one more machine for someone to
reinstall. (not really; IIS should not have full privs.).
There are working examples out there, apparently.
> - from what I'm seeing, the general response from everyone is to ignore the
> problem. Is this true or are people actually doing something?
It's not chewing up an appreciably piece of my bandwidth :-)
> I'm sorely tempted to simply disable all logging of the problem and ignoring
> it.
I'm just very glad there isn't a version out there which attacks
NT-4.0; AFAIK this is a W2k + IIS bug only. Apparently all that's really
needed is to change the offset to get things to work for NT-4.....
Yours,
--
Peter Barker | N _--_|\ /---- Barham, Vic
Programmer,Sysadmin,Geek | W + E / /\
pbarker at barker.dropbear.id.au | S \_,--?_*<-- Canberra
You need a bigger hammer. | v [35S, 149E]
"When used legally and in its intended fashion, the Acrobat eBook Reader secures eBooks purchased by locking the eBook to the hardware from which it was purchased." -- Adobe press release
More information about the linux
mailing list