Re: FW: Careful. This is for information only.
Yeah, except routing packets for that address to /dev/null
will only work during the last part of the month, when it's
in DDoS mode. For the first twenty days of the calendar
month, it's in propogation mode, spreading itself, and
that's what is clogging the bandwidth right now.
Y.Kelly
-----Original Message-----
From: Robert L. Harris Robert.L.Harris@rdlg.net
Sent: Wed, 8 Aug 2001 12:09:07 -0600
To: yvraine@visto.com
CC: debian-user@lists.debian.org,
Robert.L.Harris@rdlg.net
Subject: Re: FW: Careful. This is for information only.
Agree with the ethics problem. I don't have many ethical
problems though
with overwriting a wurm binary from a machine we know is
hacked, it hit
me afterall.
How about assigning that hardcoded IP to /dev/null. Have
the backbone
operators assign a static route to a dead interface on the
backbone routers
so it doesn't even try to go to the old network.
Yes the best patch would be if all the IIS boxes were
patched but it doesn't
appear to be working all that well.
Thus spake Yvonne Kelly (yvraine@visto.com):
> Hi,
>
> 1. You still run into the ethics question of whether you
> should be tampering with other people's boxes yourself,
> even with good intentions. Even if it's just to run a
> script.
>
> 2a. We don't KNOW that it was Chinese in origin. Sure,
the
> defacement script reads "Hacked by Chinese," but anyone
> could have written that just to frame them. I've even
> heard theories that the worm was created by the CIA....
>
> 2b. The DDoS target is actually a hardcoded IP address,
> not "www.whitehouse.gov" so there's no DNS involved.
That
> IP address used to be the White House's, but they've long
> since gotten that changed!
>
> Y.Kelly
>
>
>
> -----Original Message-----
> From: Robert L. Harris Robert.L.Harris@rdlg.net
> Sent: Wed, 8 Aug 2001 11:35:16 -0600
> To: debian-user@lists.debian.org
> Subject: Re: FW: Careful. This is for information only.
>
>
>
>
> 2 thoughts.
>
> 1) Write a script that instead of shutting down the
system
> applies a hot-fix or shuts the wurm off, maybe a cron
type,
> at job that
> removes the files the wurm puts in place and then emails
> the admin
> with a "hey your box is hacked, fix it"...
>
> 2) My understanding is that this was made by some
chineese
> hacker
> ticked off about that spy plane garbage and is DDOS'ing
> whitehouse.gove. Being that we don't seem to be getting
> much help
> shutting this down since v2 is now out, lets change DNS
for
> a week
> and point Whitehouse.gov to china.gov or some such mess.
>
>
> Thus spake Nathan E Norman (nnorman@micromuse.com):
>
> > On Wed, Aug 08, 2001 at 08:36:53AM +0200, Sebastiaan
> wrote:
> > > How about this? [ "white" worm ]
> >
> > You're missing the point.
> >
> > No one here is saying you would be a bad person if you
> {shut
> > off/nuked/notified} a remote site that is already
> affected with the
> > worm du jour.
> >
> > What I'm trying to say (and John Hasler as well if I
may
> be
> > presumptuous) is that given the current state of
affairs
> legally, you
> > would be _unwise_ to set up your system in such a way
> that it did
> > something to another machine via some back door
> mechanism, even if
> > what you did was clearly beneficial.
> >
> > Many are saying "but that's stupid, it's sad that we
> can't help".
> > You are absolutely correct. The Internet was supposed
to
> be about
> > cooperation ... as far as I can see it's mostly a
> playground for
> > idiots and control freaks.
> >
> > If you want to figure out how to "stop" code red, go
> right ahead!
> > However, don't be surprised when some moron calls you
and
> wants to
> > know why you've "hacked" his system. You can't share
> wisdom with
> > fools, unfortunately.
> >
> > Cheers,
> >
> > --
> > Nathan Norman - Staff Engineer | A good plan today is
> better
> > Micromuse Ltd. | than a perfect plan
> tomorrow.
> > mailto:nnorman@micromuse.com | -- Patton
>
>
>
>
>
> :wq!
> ----------------------------------------------------------
--
> ---------------
> Robert L. Harris | Micros~1 :
> Senior System Engineer | For when quality,
> reliability
> at RnD Consulting | and security just
> aren't
> \_ that important!
> DISCLAIMER:
> These are MY OPINIONS ALONE. I speak for no-one
else.
> FYI:
> perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-
> 2),oct(115),10);'
>
>
> --
> To UNSUBSCRIBE, email to debian-user-
> request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
>
>
>
____________________________________________________________
_______________
> Visit http://www.visto.com.
> Find out how companies are linking mobile users to the
> enterprise with Visto.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-
request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
:wq!
------------------------------------------------------------
---------------
Robert L. Harris | Micros~1 :
Senior System Engineer | For when quality,
reliability
at RnD Consulting | and security just
aren't
\_ that important!
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
FYI:
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-
2),oct(115),10);'
___________________________________________________________________________
Visit http://www.visto.com.
Find out how companies are linking mobile users to the
enterprise with Visto.
Reply to: