Re: nimda

[Sematimba Noah K <ksemat at wawa.eahd.or.ug>]

I have seen similar implementations where a perl script is used instead
and drops in an ipchains or ipfw rule to block that particular host kind
of like the way portsentry works for port scanners.

You can then unblock them after the threat is over by simply flushing all
your firewall rules. This will take strain off your web server since
connections stop at the firewall if the firewall in on a separate box say
a P133 ....

Noah.

On Tue, 25 Sep 2001, Rob Hunter wrote:

> Hi
>
> > I got this off the isp-linux list. It apparently seems to work.
> > It causes the infected machine to be redirected back upon itself. In the
> > past hour i have seen the attacks reduced to almost none.
>
> How does this bring the amount of attempts down?
>
> If you're going to keep a script on your box doing work when it finds
> these attempts, you may want to try the attached script (or something
> similar) which could possibly bring the amount of infected hosts down by
> some miniscule percentage (hey, it's a start).
>
> This one basically uses the same IIS exploit to connect back to the
> offending party, sends a winpopup with a predetermined message (e.g. Your
> machine is infected with Code Red, please go to http://blahblahblah to fix
> it) and it also opens a browser window with a predetermined url.
>
> The script was written for Code Red, I haven't actually checked yet if it
> catches Nimda stuff.
>
> Regards
>
> --Rob
>


-----
This is the afnog mailing list, managed by Majordomo 1.94.4

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org