Re: "suspicious" apache log entries

[Doug Winter <doug@pigeonhold.com>]

On Tue 10 Sep Marcel Weber wrote:
> So a little program called "Silver bullet" got developed. I think it
> run even on Linux. When a backdoored server tried to contact the
> silver bullet server, it got "shot down" by this script using nimda's
> backdoor. I window popped up on the attacking machine and it's ip
> stack went down... It was really amazing how fast all those server and
> workstations got patched and finally there was peace again on the
> networks...

This is probably wandering further and further OT, however I saw a
posting on bugtraq way back when all this started that suggested an
interesting tactic.

It claimed that the HTTP libraries used by Nimda and Code Red were
generic, and could be fooled by sending a redirect response like:

Location: http://127.0.0.1/

They would then attempt to root themselves repeatedly, causing the whole
machine to eventually crash.  I expect behaviour would be different in
the various strains of the worms though.

Obviously you can send any HTTP header you like legally.  Also, I guess
people would be quicker to fix their computers if they kept breaking.  I
never tested this myself, but it sounds plausible.

doug.

-- 
key 1024D/6973E2CF print | Tomorrow will be cancelled due to lack of
2C95 66AD 1596 37D2 41FC | interest.
609F 76C0 A4EC 6973 E2CF |
http://www.antisigma.com |