Can I ask a question? According to Ryan Russell (who's been analyzing the worm code), Nimda doesn't honor redirects - it just checks the response it gets from a Web server to determine whether or not the server is vulnerable. It doesn't follow redirects. So what does this actually accomplish? Isn't it possible that the Nimda traffic is going down because of the decaying growth curve of propagation? Or am I just missing something? confused -- tbird On Mon, 24 Sep 2001, Kyle R. Hofmann wrote: > Date: Mon, 24 Sep 2001 23:42:31 -0700 > From: Kyle R. Hofmann <krhat_private> > To: incidentsat_private > Subject: Re: Tracking down the still infected hosts > > On Mon, 24 Sep 2001 22:00:53 -0400, "Fulton L. Preston Jr." wrote: > > I implemented the methods below on my IIS and Apache servers and it > > knocked all the local Nimda traffic dead in minutes. Nimda traffic from > > neighboring ISPs was way down within an hour. Since I am on a cable > > modem I can't control the rest of the network around me but this sure > > did shut them noisy infected boxes up in a hurry :) > > For machines that don't run a web server, I wrote a short perl script that > will send an HTTP/1.1 Redirect to anyone attempting to access port 80. I'm > not very familiar with the HTTP protocol, so I may have done something that's > technically incorrect, but lynx honors the redirect just fine, so I think it's > OK. The script is appended to this message. > > LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 11:40:43 PDT