Re: FW: Careful. This is for information only.

To: Yvonne Kelly <yvraine@visto.com>
Cc: debian-user@lists.debian.org, Robert.L.Harris@rdlg.net
Subject: Re: FW: Careful. This is for information only.
From: "Robert L. Harris" <Robert.L.Harris@rdlg.net>
Date: Wed, 8 Aug 2001 12:09:07 -0600
Message-id: <[🔎] 20010808120907.B6197@rdlg.net>
In-reply-to: <[🔎] 3B550C38001324EE@iso2.vistocorporation.com>; from yvraine@visto.com on Wed, Aug 08, 2001 at 11:03:42AM -0700
References: <[🔎] 3B550C38001324EE@iso2.vistocorporation.com>


  Agree with the ethics problem.  I don't have many ethical problems though
with overwriting a wurm binary from a machine we know is hacked, it hit
me afterall.

  How about assigning that hardcoded IP to /dev/null.  Have the backbone
operators assign a static route to a dead interface on the backbone routers
so it doesn't even try to go to the old network.


  Yes the best patch would be if all the IIS boxes were patched but it doesn't
appear to be working all that well.


Thus spake Yvonne Kelly (yvraine@visto.com):

> Hi,
> 
> 1.  You still run into the ethics question of whether you 
> should be tampering with other people's boxes yourself, 
> even with good intentions.  Even if it's just to run a 
> script.
> 
> 2a. We don't KNOW that it was Chinese in origin.  Sure, the 
> defacement script reads "Hacked by Chinese," but anyone 
> could have written that just to frame them.  I've even 
> heard theories that the worm was created by the CIA....
> 
> 2b. The DDoS target is actually a hardcoded IP address, 
> not "www.whitehouse.gov" so there's no DNS involved.  That 
> IP address used to be the White House's, but they've long 
> since gotten that changed!
> 
> Y.Kelly
> 
> 
> 
> -----Original Message-----
> From:    Robert L. Harris Robert.L.Harris@rdlg.net
> Sent:    Wed, 8 Aug 2001 11:35:16 -0600
> To:      debian-user@lists.debian.org
> Subject: Re: FW: Careful. This is for information only.
> 
> 
> 
> 
> 2 thoughts.  
> 
> 1)  Write a script that instead of shutting down the system
> applies a hot-fix or shuts the wurm off, maybe a cron type, 
> at job that
> removes the files the wurm puts in place and then emails 
> the admin
> with a "hey your box is hacked, fix it"...
> 
> 2) My understanding is that this was made by some chineese 
> hacker
> ticked off about that spy plane garbage and is DDOS'ing 
> whitehouse.gove.  Being that we don't seem to be getting 
> much help
> shutting this down since v2 is now out, lets change DNS for 
> a week
> and point Whitehouse.gov to china.gov or some such mess.
> 
> 
> Thus spake Nathan E Norman (nnorman@micromuse.com):
> 
> > On Wed, Aug 08, 2001 at 08:36:53AM +0200, Sebastiaan 
> wrote:
> > > How about this? [ "white" worm ]
> > 
> > You're missing the point.
> > 
> > No one here is saying you would be a bad person if you 
> {shut
> > off/nuked/notified} a remote site that is already 
> affected with the
> > worm du jour.
> > 
> > What I'm trying to say (and John Hasler as well if I may 
> be
> > presumptuous) is that given the current state of affairs 
> legally, you
> > would be _unwise_ to set up your system in such a way 
> that it did
> > something to another machine via some back door 
> mechanism, even if
> > what you did was clearly beneficial.
> > 
> > Many are saying "but that's stupid, it's sad that we 
> can't help".
> > You are absolutely correct.  The Internet was supposed to 
> be about
> > cooperation ... as far as I can see it's mostly a 
> playground for
> > idiots and control freaks.
> > 
> > If you want to figure out how to "stop" code red, go 
> right ahead!
> > However, don't be surprised when some moron calls you and 
> wants to
> > know why you've "hacked" his system.  You can't share 
> wisdom with
> > fools, unfortunately.
> > 
> > Cheers,
> > 
> > -- 
> > Nathan Norman - Staff Engineer | A good plan today is 
> better
> > Micromuse Ltd.                 | than a perfect plan 
> tomorrow.
> > mailto:nnorman@micromuse.com   |   -- Patton
> 
> 
> 
> 
> 
> :wq!
> ------------------------------------------------------------
> ---------------
> Robert L. Harris                |  Micros~1 :  
> Senior System Engineer          |    For when quality, 
> reliability 
>   at RnD Consulting             |      and security just 
> aren't
>                                 \_       that important!
> DISCLAIMER:
>       These are MY OPINIONS ALONE.  I speak for no-one else.
> FYI:
>  perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-
> 2),oct(115),10);'
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-
> request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org
> 
> 
> 
> 
> ___________________________________________________________________________
> Visit http://www.visto.com.
> Find out  how companies are linking mobile users to the 
> enterprise with Visto.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



:wq!
---------------------------------------------------------------------------
Robert L. Harris                |  Micros~1 :  
Senior System Engineer          |    For when quality, reliability 
  at RnD Consulting             |      and security just aren't
                                \_       that important!
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

Reply to:

Follow-Ups:
- Re: FW: Careful. This is for information only.
  - From: will trillich <will@serensoft.com>

References:
- Re: FW: Careful. This is for information only.
  - From: "Yvonne Kelly" <yvraine@visto.com>

Prev by Date: Re: pump
Next by Date: Re: Questions about make a boot CD with Debian.
Previous by thread: Re: FW: Careful. This is for information only.
Next by thread: Re: FW: Careful. This is for information only.
Index(es):
- Date
- Thread