Re: red worm amusement - redirect

[Yotam Rubin <yotam@makif.omer.k12.il>]

On Fri, Jul 20, 2001 at 09:33:21PM -0400, Noah L. Meyerhans wrote:
> On Fri, Jul 20, 2001 at 06:24:54PM -0700, Alvin Oga wrote:
> > if ya wrote a script... was thinking..wouldnt it be funny
> > to redirect that incoming attack with the cgi script to 
> > redirect it back to the incoming machine ???
> 
> It wouldn't get you anything exciting.  The source machine has already
> been cracked, and chances are it will get hit again by the worm anyway.
> From what I've read about the "random" IP address generator used by the
> worm, the same sets of hosts get hit again and again. 

The intense increase in probes can be attributed to a new worm variant, 
which supposedly has the correct random seed generation code. I think you 
can safely assume that the probes we're seeing now are coming from the 
new worm variant.  I guess one could devise a script which cleans the
probing host from the worm and creates the file c:\noworm (or something 
similar), but it's probably too late anyway. 

	-- Yotam Rubin

> 
> noah
> 
> -- 
>  _______________________________________________________
> | Web: http://web.morgul.net/~frodo/
> | PGP Public Key: http://web.morgul.net/~frodo/mail.html