Re: FW: Careful. This is for information only.
Thus spake Craig Dickson (firstname.lastname@example.org):
> Robert L. Harris wrote:
> > 2 thoughts.
> If you want to call them that, okay.
> Sorry, I'm getting mildly annoyed by the conversation at this point.
> We seem to be dividing into two groups: those with a clue, and those
> who neither have one nor seem able to catch one when it floats by.
> By now, I think anyone who previously lacked a clue but was capable
> of acquiring one has done so.
Ok, so your thinking is so much better than everyone else's. You take
over the world and be the benevelant dictator.
> > 1) Write a script that instead of shutting down the system
> > applies a hot-fix or shuts the wurm off, maybe a cron type, at job that
> > removes the files the wurm puts in place and then emails the admin
> > with a "hey your box is hacked, fix it"...
> How many messages have we had today proposing this or pointing out that
> legally this is the same as the original worm? Unauthorized access is
> unauthorized access.
> And what's all this nonsense about mailing the admin or setting up a
> cron job? Are you by chance thinking that Code Red runs on Unix? The
> average Windows 2000 machine doesn't run a mail transport, especially
> not the home cable/DSL systems that seem to be the biggest problem at
> this point. You can complain to their ISP if you like. I think that's
> already being done by various people.
How much do you know a windows box? There IS an "at" job for windows.
it bascially acts as a cronjob, just called at. It's usually an add-on
but does exist and alot of production systems will use it for rotating
logs, restarting services that aren't "services" and the like.
As per mail, did you know you can send mail to a domain? Ok, so
fubar.company.com starts hitting my firewall, webservers, network with
requests. My UNIX web servers see the request for the default.ida file
so I send out a happy little message. On the NON-UNIX mail servers there's
another method. It's called telnetting to the machine assigned the MX record
for comany.com and using a "here" document to send the email. Ever tried
that? It works..
> > 2) My understanding is that this was made by some chineese hacker
> > ticked off about that spy plane garbage and is DDOS'ing
> > whitehouse.gove. Being that we don't seem to be getting much help
> > shutting this down since v2 is now out, lets change DNS for a week
> > and point Whitehouse.gov to china.gov or some such mess.
> You not only haven't been reading this list very carefully, you also
> haven't been reading the news. The attack on www.whitehouse.gov is by a
> hard-coded (and now obsolete) IP address, not by DNS name. There is also
> no proof at all that Code Red is of Chinese origin; the only indication
> of that is the "Hacked by Chinese!" web page that hacked servers display
> for a few hours after their initial infection. I don't know about you,
> but if I were going to write something like Code Red, I would include
> something like this as pure misdirection, to reduce the chance of
> getting caught.
Hmm. "my understanding"... Yup, I was stating a fact wasn't I? No, I
didn't know it was a hard coded IP but someone else POLITELY without attitude
on the list just informed me of that. We can still point the entry somewhere
else, like the loopback addr or /dev/null.
Have you ever heard of something called brainstorming or free thinking? You
throw out odd ideas and see what comes back. No, the idea of throwing at
the chinese wasn't going to happen, especially since we don't know it was
them or whatever. But how about hte idea of having them sent to a dead
interface at each backbone router? Get the traffic off the backbone
or anywhere else.
IT'S CALLED THINKING OF OPTIONS!
Robert L. Harris | Micros~1 :
Senior System Engineer | For when quality, reliability
at RnD Consulting | and security just aren't
\_ that important!
These are MY OPINIONS ALONE. I speak for no-one else.
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'