-----BEGIN PGP SIGNED MESSAGE----- On Thu, 6 Sep 2001, Alexander Sarras (SEA) wrote: > It might be discussable installing a - easily uninstallable - routine > which send emails and (broadcast) messages to admin account accessible > from the infected box, stating very clearly what to do 1) to get rid of > the worm 2) to get rid of that utility afterwards. But surely not > another virus. That's what Early Bird (first released early last month) does. Early Bird is a PERL script that acts as a decoy for Code Red by sitting in the htdocs directory under the name 'default.ida'. When it receives a scan from a Code Red infected system, it snags the IP address, performs a lookup for the cognizant party for that netblock (whether they're in the ARIN, APNIC, or RIPE databases), and fires off an e-mail with the relevant log excerpts. One can even cc the abuse@ address for good measure. :) Version 2.3 of Early Bird was just released a couple of hours ago. If anyone's interested, they can find more information at the following URL: http://www.treachery.net/earlybird/. (I honestly didn't want to make this a shameless plug, but I figured nobody wanted to reinvent the wheel here.) ;) - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | = |-' `--' `--' `--- Failure is never as devastating as regret. ---' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO5hZk7lDRyqRQ2a9AQEGzwP/SWoD+tdkyBFrI5xQtK1+v5FofvYE7lnn RWXrNXAhPeSNXzyzsUHng3+bTg3Vjm6g/7r6BC6f1DUFkzVBqPrqk+wIMdrl11x/ 7c79Z0rZVZ23S86+v1kYSkRy1UI6zKIg6/2fnSaIg7zrI82VXA2aAQ9QCkV6JdGN P6s+HFWkJbs= =8PLI -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:08:17 PDT