[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "suspicious" apache log entries

Hash: SHA1

Something that would be totally legal would be to send an email to the webmaster@infected-domain.vir, in the hope, that they have such an email address. Of course one has to pay attention, that this email address does not get flooded, when thousands of the call-attention-to-your-infected-nimda-machine-script would answer the attempted nimda attack in such a way. This would mean, a kind of central database, where those infected machines would get registered.

A step further would be to ask the webmaster to reply to this email. If he does not within a given timeframe, one could try to let his server's speakers beep or whatever-not-to-harmful-option there is.

I think after sending emails and trying to reach the responsable person (after the RFC there has to be such an email address), the second step would be legally okay in most countries.


Am Donnerstag den, 12. September 2002, um 05:24, schrieb Peter Cordes:

On Tue, Sep 10, 2002 at 10:00:13AM -0700, Vineet Kumar wrote:
I understand that the tools exist, but I'd be very cautious before
donning your white hat and becoming the next Internet vigilante.  Of
course the admin of the site may be grateful for your pointing out that
something is wrong, but more likely they'll blame you for any damage
they find (no matter how they were originally infected) and be very
angry about any change you make to their site.  Remember, if they had a
clue, they'd already know and be working on fixing the problem (or never
have been running IIS in the first place).

Nobody said anything about changing the web site, or anything on their hard drive. The suggestion was to pop up a window on the desktop. (This makes sense because I suppose even servers that are running an MS OS usually have
a desktop that someone will look at when something goes wrong.)

Taking down the TCP stack is of questionable legality, and it would be nice if there was an easier way to call attention to the machine. Maybe beeping the PC speaker in morse code for S.O.S. would work. (Do rackmount servers have a PC speaker?) Some people disable the PC speaker, but if they have a sound card, you could use that. (Then you could say make their computer say
"I'm infected, help me"...)

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

- -------------------

PGP / GPG Key:	http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
Version: GnuPG v1.0.6 (Darwin)
Comment: For info see http://www.gnupg.org


Reply to: