-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 24 Aug 2001, Martin Markgraf wrote:
> Attached you will find a interesting perl program I found on the net.
> It's some kind of "wormcatcher" for the CR II and I havn't seen it
> mentioned on the list befor. It reads the local webserver logfile and
> if it find an CR II attempt it tries to execute several commands on the
> offending server.
I'll preface my remarks by stating that everyone should do what
they want ('cause they will anyway). That said, I have to say that the
counterattack approach is an all-around Bad Idea.
First off, this tool promotes unauthorized access. You think the
ISP or the boys at the Bureau care what your intentions are? Strike One.
Secondly, this tool alters the functioning of the target system.
Tampering with a crime scene, anyone? Strike Two.
Last of all, this tool provides no notification of a breach at the
original site (apart from doing things like shutting services off or
installing BO2K). Even warships fire off a warning shot before lobbing
artillery. Strike Three, yer outta there.
I'd recommend incident.pl (http://www.cse.fau.edu/~valankar/) or
Early Bird[1] (http://www.treachery.net/~jdyson/earlybird/) as a far
better solution for handling Code Red and its ilk.
- -Jay
1. A plug...but not entirely shameless. ;)
( ( _______
)) )) .--"There's always time for a good cup of coffee"--. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | = |-'
`--' `--' `-------- Real men prefer full disclosure. --------' `------'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iQCVAwUBO4aBb7lDRyqRQ2a9AQGCBQP/UZMMYUzWk+h0qS/7uCcfBT6j+u3716Qc
GZ8s8GEMCcY1h5BJHUeKpvy4sbFVi6TrSm2pkukyXbOc2E1xW9vCq1QPk5aturKf
2iFUXvjGEgxNvXaYcVqEZ2TvikjdgjKjOI6WZgaVTM3Wa81V77NEf0wFubBJhA9U
5QObmkliAds=
=kaEv
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 20:02:55 PDT