Re: slapper countermeasures

To: debian-security@lists.debian.org
Cc: Michael Renzmann <mrenzmann@dylanic.de>
Subject: Re: slapper countermeasures
From: Jean Christophe ANDRÃ? <jean-christophe.andre@auf.org>
Date: Wed, 18 Sep 2002 02:07:11 +0700
Message-id: <[🔎] 20020917190711.GA13051@virus.home>
In-reply-to: <[🔎] 3D8775CF.70200@dylanic.de>
References: <[🔎] 3D8775CF.70200@dylanic.de>

Michael Renzmann écrivait :
> Hi all.
> How about the following idea: one could use the udp "command language" 
> that is implemented within the slapper worm to issue some commands for 
> self-deletion of the worm and informing the root user of every system 
> about how to close the hole. As far as I understood there is a network 
> between every infected server that uses communication over udp port 
> 2002. If we could set up a script that is able to inject the appropriate 
> commands to this network, that should shut down the whole network. It 
> could possibly pop up again, but as soon as one of the p2p-nodes is 
> known the complete new network should be accessible (if I understood the 
> scheme correctly).
> Opinions?

Same idea here this night! :)

I was thinking about the *good* way to do it...
May be something like this (root mail, some wait, virus self-kill):
  /bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper worm" root
  /bin/sleep 300	# to wait for the propagation, some network are slow
  /bin/kill -9 $PPID	# *MUST* CHECK IF IT WILL REALLY KILL THE *RIGHT* ONE!!

J.C.

Reply to:

Follow-Ups:
- Re: slapper countermeasures
  - From: Michael Renzmann <mrenzmann@dylanic.de>

References:
- slapper countermeasures
  - From: Michael Renzmann <mrenzmann@dylanic.de>

Prev by Date: slapper countermeasures
Next by Date: Re: slapper countermeasures
Previous by thread: slapper countermeasures
Next by thread: Re: slapper countermeasures
Index(es):
- Date
- Thread