Re: slapper countermeasures
Michael Renzmann écrivait :
> Hi all.
> How about the following idea: one could use the udp "command language"
> that is implemented within the slapper worm to issue some commands for
> self-deletion of the worm and informing the root user of every system
> about how to close the hole. As far as I understood there is a network
> between every infected server that uses communication over udp port
> 2002. If we could set up a script that is able to inject the appropriate
> commands to this network, that should shut down the whole network. It
> could possibly pop up again, but as soon as one of the p2p-nodes is
> known the complete new network should be accessible (if I understood the
> scheme correctly).
Same idea here this night! :)
I was thinking about the *good* way to do it...
May be something like this (root mail, some wait, virus self-kill):
/bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper worm" root
/bin/sleep 300 # to wait for the propagation, some network are slow
/bin/kill -9 $PPID # *MUST* CHECK IF IT WILL REALLY KILL THE *RIGHT* ONE!!