AW: "suspicious" apache log entries

To: "Vineet Kumar" <debian-security@virtual.doorstop.net>, <debian-security@lists.debian.org>
Subject: AW: "suspicious" apache log entries
From: "Marcel Weber" <mmweber@ncpro.com>
Date: Tue, 10 Sep 2002 12:43:10 +0300
Message-id: <[🔎] ABEKLOAPHGEAANDBAIFFAEKCCHAA.mmweber@ncpro.com>
In-reply-to: <[🔎] 20020910095824.GA37101@doorstop.net>

Hi

Phillip Hofmeister is right. This tool exists.

We used this at our companies network (a bigger one, some 100'000 users ;-).
All those Frontpage or I don't know what the hell they're using users with
iis and nimda on it, were difficult to track down. Of course we tried to
warn them before implementing this tool, but some were on holidays, others
did not have the time to fix it, others had dynamical IP addresses and so
on.

So a little program called "Silver bullet" got developed. I think it run
even on Linux. When a backdoored server tried to contact the silver bullet
server, it got "shot down" by this script using nimda's backdoor. I window
popped up on the attacking machine and it's ip stack went down... It was
really amazing how fast all those server and workstations got patched and
finally there was peace again on the networks...

Well, but you're right: This is a beautyful tool on a companies network. But
if used on the internet, there could be legal issues. Why not introduce an
official "Internet Security Team" that officially has the right to do such
things. It would be for the good of the net! They could be a part of the
ICANN or UNO or whoever.

Marcel




--------------------

PGP / GPG Key:    http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc

> -----Ursprungliche Nachricht-----
> Von: Vineet Kumar [mailto:debian-security@virtual.doorstop.net]
> Gesendet: Dienstag, 10. September 2002 12:58
> An: debian-security@lists.debian.org
> Betreff: Re: "suspicious" apache log entries
>
>
> * Michael Renzmann (mrenzmann@dylanic.de) [020910 02:55]:
> > Phillip Hofmeister stated that one could use the Nimda backdoor on the
> > server that connects our server to setup a warning message on the
> > attacking computer's desktop. I think this is a great idea, but I have
> > not been able to track down what would be necessary to write code for
> > doing so. Anyone on this list interested in teaming up on writing such
> > an script?
>
> If you do, be prepared to go to jail...
>
> good times,
> Vineet
> --
> http://www.doorstop.net/
> --
> "Computer Science is no more about computers
> than astronomy is about telescopes."  -- E.W. Dijkstra
>

Reply to:

Follow-Ups:
- Re: "suspicious" apache log entries
  - From: Doug Winter <doug@pigeonhold.com>
- Re: AW: "suspicious" apache log entries
  - From: Michael Renzmann <mrenzmann@dylanic.de>
- Re: "suspicious" apache log entries
  - From: Geoff Crompton <geoff.crompton@bjhcontrols.com.au>

References:
- Re: "suspicious" apache log entries
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>

Prev by Date: Re: "suspicious" apache log entries
Next by Date: Re: "suspicious" apache log entries
Previous by thread: Re: "suspicious" apache log entries
Next by thread: Re: "suspicious" apache log entries
Index(es):
- Date
- Thread