No subject


Tue Dec 2 02:44:59 GMT 2003 

---------------
[root at firefly httpd]# for i in 00 01 02 03 04 05 09 10 11 12 13 14 15 16
17 ; do> echo -n "$i: "; grep -c
"07/Aug/2001\:$i.*GET.*XXXXXXXXX" *access*  | cut -f 2 -d ':' |
~/bin/sigma.pl 
> done
00: 8
01: 11
02: 6
03: 6
04: 39
05: 14
09: 14
10: 14
11: 12
12: 12
13: 18
14: 12
15: 15
16: 15
17: 0
[root at firefly httpd]# 
---------
The others are similar.

You should have a look at the spreading mechanism for the code. I haven't
really thought about the effects of the way it perturbs the address ranges
it attacks, but I think if there is someone with a whole slew of
infected machines with a different-third-bit-of-dotted-quad as your
network then you can expect a lot of hits.

> - In a sense we're paying for this traffic, so I was wondering if anyone
> had had any luck trying to convince their upstream provider to block the
> traffic.

Some example rules were posted to bugtraq.

> - are we allowed to do smurf type attacks on offending machines to try to
> disable thier IP stacks?

Technically, yes. Legally, almost certainly not :-)

There is an easier way that smurfing. Remember that this virus installs a
trojan _and_ drops cmd.exe into a scripts directory :-)

Non-working example:
--
telnet victim.com 80
GET /root.exe HTTP/1.0
Host: victim.com

deltree c:\
--
One less machine for someone to disinfect, one more machine for someone to
reinstall. (not really; IIS should not have full privs.).

There are working examples out there, apparently.

> - from what I'm seeing, the general response from everyone is to ignore the
> problem. Is this true or are people actually doing something?

It's not chewing up an appreciably piece of my bandwidth :-)

> I'm sorely tempted to simply disable all logging of the problem and ignoring
> it.

I'm just very glad there isn't a version out there which attacks
NT-4.0; AFAIK this is a W2k + IIS bug only. Apparently all that's really
needed is to change the offset to get things to work for NT-4.....

Yours,
-- 
Peter Barker                          |   N    _--_|\ /---- Barham, Vic 
Programmer,Sysadmin,Geek              | W + E /     /\                
pbarker at barker.dropbear.id.au         |   S   \_,--?_*<-- Canberra      
You need a bigger hammer.             |             v    [35S, 149E]   
"When used legally and in its intended fashion, the Acrobat eBook Reader secures eBooks purchased by locking the eBook to the hardware from which it was purchased." -- Adobe press release

More information about the linux mailing list