Security Incidents mailing list archives
RE: Tracking down the still infected hosts
From: "Fulton L. Preston Jr." <fulton () prestons org>
Date: Tue, 25 Sep 2001 15:04:27 -0400
Well, if it doesn't honor redirects it IS doing something. A doubt that the rate of 60 requests a minute going to almost nothing in a few minutes after implementing this is just coincidence. A quick check of an offending IP address before implementation showed that IIS was running fine. After implementing, the IIS server responds "Not enough resources to complete request" and eventually stops responding altogether. It does do something to the offending machine, that much is clear, what it is doing is a question I'll leave someone else to answer. Fulton. -----Original Message----- From: Tina Bird [mailto:tbird () precision-guesswork com] Sent: Tuesday, September 25, 2001 12:25 PM To: Kyle R. Hofmann Cc: incidents () securityfocus com Subject: Re: Tracking down the still infected hosts Can I ask a question? According to Ryan Russell (who's been analyzing the worm code), Nimda doesn't honor redirects - it just checks the response it gets from a Web server to determine whether or not the server is vulnerable. It doesn't follow redirects. So what does this actually accomplish? Isn't it possible that the Nimda traffic is going down because of the decaying growth curve of propagation? Or am I just missing something? confused -- tbird On Mon, 24 Sep 2001, Kyle R. Hofmann wrote:
Date: Mon, 24 Sep 2001 23:42:31 -0700 From: Kyle R. Hofmann <krh () lemniscate net> To: incidents () securityfocus com Subject: Re: Tracking down the still infected hosts On Mon, 24 Sep 2001 22:00:53 -0400, "Fulton L. Preston Jr." wrote:I implemented the methods below on my IIS and Apache servers and it knocked all the local Nimda traffic dead in minutes. Nimda traffic
from
neighboring ISPs was way down within an hour. Since I am on a cable modem I can't control the rest of the network around me but this
sure
did shut them noisy infected boxes up in a hurry :)For machines that don't run a web server, I wrote a short perl script
that
will send an HTTP/1.1 Redirect to anyone attempting to access port 80.
I'm
not very familiar with the HTTP protocol, so I may have done something
that's
technically incorrect, but lynx honors the redirect just fine, so I
think it's
OK. The script is appended to this message.
LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Tracking down the still infected hosts, (continued)
- RE: Tracking down the still infected hosts Ryan McDonnell (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Tina Bird (Sep 25)
- Re: Tracking down the still infected hosts Skip Carter (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Dale Lancaster (Sep 25)
- Re: Tracking down the still infected hosts Duncan Hill (Sep 25)
- Re: Tracking down the still infected hosts Josh Burroughs (Sep 25)
- Message not available
- Re: Tracking down the still infected hosts Nicole Haywood (Sep 25)
- Re: Tracking down the still infected hosts Ryan Russell (Sep 25)