Well, if it doesn't honor redirects it IS doing something. A doubt that the rate of 60 requests a minute going to almost nothing in a few minutes after implementing this is just coincidence. A quick check of an offending IP address before implementation showed that IIS was running fine. After implementing, the IIS server responds "Not enough resources to complete request" and eventually stops responding altogether. It does do something to the offending machine, that much is clear, what it is doing is a question I'll leave someone else to answer. Fulton. -----Original Message----- From: Tina Bird [mailto:tbird@precision-guesswork.com] Sent: Tuesday, September 25, 2001 12:25 PM To: Kyle R. Hofmann Cc: incidentsat_private Subject: Re: Tracking down the still infected hosts Can I ask a question? According to Ryan Russell (who's been analyzing the worm code), Nimda doesn't honor redirects - it just checks the response it gets from a Web server to determine whether or not the server is vulnerable. It doesn't follow redirects. So what does this actually accomplish? Isn't it possible that the Nimda traffic is going down because of the decaying growth curve of propagation? Or am I just missing something? confused -- tbird On Mon, 24 Sep 2001, Kyle R. Hofmann wrote: > Date: Mon, 24 Sep 2001 23:42:31 -0700 > From: Kyle R. Hofmann <krhat_private> > To: incidentsat_private > Subject: Re: Tracking down the still infected hosts > > On Mon, 24 Sep 2001 22:00:53 -0400, "Fulton L. Preston Jr." wrote: > > I implemented the methods below on my IIS and Apache servers and it > > knocked all the local Nimda traffic dead in minutes. Nimda traffic from > > neighboring ISPs was way down within an hour. Since I am on a cable > > modem I can't control the rest of the network around me but this sure > > did shut them noisy infected boxes up in a hurry :) > > For machines that don't run a web server, I wrote a short perl script that > will send an HTTP/1.1 Redirect to anyone attempting to access port 80. I'm > not very familiar with the HTTP protocol, so I may have done something that's > technically incorrect, but lynx honors the redirect just fine, so I think it's > OK. The script is appended to this message. > > LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 13:14:06 PDT