[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FW: Careful. This is for information only.



Yeah, except routing packets for that address to /dev/null 
will only work during the last part of the month, when it's 
in DDoS mode.  For the first twenty days of the calendar 
month, it's in propogation mode, spreading itself, and 
that's what is clogging the bandwidth right now.

Y.Kelly



-----Original Message-----
From:    Robert L. Harris Robert.L.Harris@rdlg.net
Sent:    Wed, 8 Aug 2001 12:09:07 -0600
To:      yvraine@visto.com
CC:      debian-user@lists.debian.org, 
Robert.L.Harris@rdlg.net
Subject: Re: FW: Careful. This is for information only.




  Agree with the ethics problem.  I don't have many ethical 
problems though
with overwriting a wurm binary from a machine we know is 
hacked, it hit
me afterall.

  How about assigning that hardcoded IP to /dev/null.  Have 
the backbone
operators assign a static route to a dead interface on the 
backbone routers
so it doesn't even try to go to the old network.


  Yes the best patch would be if all the IIS boxes were 
patched but it doesn't
appear to be working all that well.


Thus spake Yvonne Kelly (yvraine@visto.com):

> Hi,
> 
> 1.  You still run into the ethics question of whether you 
> should be tampering with other people's boxes yourself, 
> even with good intentions.  Even if it's just to run a 
> script.
> 
> 2a. We don't KNOW that it was Chinese in origin.  Sure, 
the 
> defacement script reads "Hacked by Chinese," but anyone 
> could have written that just to frame them.  I've even 
> heard theories that the worm was created by the CIA....
> 
> 2b. The DDoS target is actually a hardcoded IP address, 
> not "www.whitehouse.gov" so there's no DNS involved.  
That 
> IP address used to be the White House's, but they've long 
> since gotten that changed!
> 
> Y.Kelly
> 
> 
> 
> -----Original Message-----
> From:    Robert L. Harris Robert.L.Harris@rdlg.net
> Sent:    Wed, 8 Aug 2001 11:35:16 -0600
> To:      debian-user@lists.debian.org
> Subject: Re: FW: Careful. This is for information only.
> 
> 
> 
> 
> 2 thoughts.  
> 
> 1)  Write a script that instead of shutting down the 
system
> applies a hot-fix or shuts the wurm off, maybe a cron 
type, 
> at job that
> removes the files the wurm puts in place and then emails 
> the admin
> with a "hey your box is hacked, fix it"...
> 
> 2) My understanding is that this was made by some 
chineese 
> hacker
> ticked off about that spy plane garbage and is DDOS'ing 
> whitehouse.gove.  Being that we don't seem to be getting 
> much help
> shutting this down since v2 is now out, lets change DNS 
for 
> a week
> and point Whitehouse.gov to china.gov or some such mess.
> 
> 
> Thus spake Nathan E Norman (nnorman@micromuse.com):
> 
> > On Wed, Aug 08, 2001 at 08:36:53AM +0200, Sebastiaan 
> wrote:
> > > How about this? [ "white" worm ]
> > 
> > You're missing the point.
> > 
> > No one here is saying you would be a bad person if you 
> {shut
> > off/nuked/notified} a remote site that is already 
> affected with the
> > worm du jour.
> > 
> > What I'm trying to say (and John Hasler as well if I 
may 
> be
> > presumptuous) is that given the current state of 
affairs 
> legally, you
> > would be _unwise_ to set up your system in such a way 
> that it did
> > something to another machine via some back door 
> mechanism, even if
> > what you did was clearly beneficial.
> > 
> > Many are saying "but that's stupid, it's sad that we 
> can't help".
> > You are absolutely correct.  The Internet was supposed 
to 
> be about
> > cooperation ... as far as I can see it's mostly a 
> playground for
> > idiots and control freaks.
> > 
> > If you want to figure out how to "stop" code red, go 
> right ahead!
> > However, don't be surprised when some moron calls you 
and 
> wants to
> > know why you've "hacked" his system.  You can't share 
> wisdom with
> > fools, unfortunately.
> > 
> > Cheers,
> > 
> > -- 
> > Nathan Norman - Staff Engineer | A good plan today is 
> better
> > Micromuse Ltd.                 | than a perfect plan 
> tomorrow.
> > mailto:nnorman@micromuse.com   |   -- Patton
> 
> 
> 
> 
> 
> :wq!
> ----------------------------------------------------------
--
> ---------------
> Robert L. Harris                |  Micros~1 :  
> Senior System Engineer          |    For when quality, 
> reliability 
>   at RnD Consulting             |      and security just 
> aren't
>                                 \_       that important!
> DISCLAIMER:
>       These are MY OPINIONS ALONE.  I speak for no-one 
else.
> FYI:
>  perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-
> 2),oct(115),10);'
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-
> request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org
> 
> 
> 
> 
> 
____________________________________________________________
_______________
> Visit http://www.visto.com.
> Find out  how companies are linking mobile users to the 
> enterprise with Visto.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-
request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact 
listmaster@lists.debian.org



:wq!
------------------------------------------------------------
---------------
Robert L. Harris                |  Micros~1 :  
Senior System Engineer          |    For when quality, 
reliability 
  at RnD Consulting             |      and security just 
aren't
                                \_       that important!
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-
2),oct(115),10);'




___________________________________________________________________________
Visit http://www.visto.com.
Find out  how companies are linking mobile users to the 
enterprise with Visto.



Reply to: