Re: FW: Careful. This is for information only.
Right. So we have a 2 parter. Either we ignore the first 20
days and let it run, keep track of who is doing it, maybe a
"Is your company irresponsibly spreading this POS"? with a list
or we do the "remove the wurm binary.
But for the last third of the month we can still cut the bandwidth
used and route the booger to /dev/null and make it go away for
a bit. It may take a little to get the backboners to put the
entries in but if it'll clean up the net a good bit for the DDoS
mode, it's likely worth it.
Thus spake Yvonne Kelly (yvraine@visto.com):
> Yeah, except routing packets for that address to /dev/null
> will only work during the last part of the month, when it's
> in DDoS mode. For the first twenty days of the calendar
> month, it's in propogation mode, spreading itself, and
> that's what is clogging the bandwidth right now.
>
> Y.Kelly
>
>
>
> -----Original Message-----
> From: Robert L. Harris Robert.L.Harris@rdlg.net
> Sent: Wed, 8 Aug 2001 12:09:07 -0600
> To: yvraine@visto.com
> CC: debian-user@lists.debian.org,
> Robert.L.Harris@rdlg.net
> Subject: Re: FW: Careful. This is for information only.
>
>
>
>
> Agree with the ethics problem. I don't have many ethical
> problems though
> with overwriting a wurm binary from a machine we know is
> hacked, it hit
> me afterall.
>
> How about assigning that hardcoded IP to /dev/null. Have
> the backbone
> operators assign a static route to a dead interface on the
> backbone routers
> so it doesn't even try to go to the old network.
>
>
> Yes the best patch would be if all the IIS boxes were
> patched but it doesn't
> appear to be working all that well.
>
>
> Thus spake Yvonne Kelly (yvraine@visto.com):
>
> > Hi,
> >
> > 1. You still run into the ethics question of whether you
> > should be tampering with other people's boxes yourself,
> > even with good intentions. Even if it's just to run a
> > script.
> >
> > 2a. We don't KNOW that it was Chinese in origin. Sure,
> the
> > defacement script reads "Hacked by Chinese," but anyone
> > could have written that just to frame them. I've even
> > heard theories that the worm was created by the CIA....
> >
> > 2b. The DDoS target is actually a hardcoded IP address,
> > not "www.whitehouse.gov" so there's no DNS involved.
> That
> > IP address used to be the White House's, but they've long
> > since gotten that changed!
> >
> > Y.Kelly
> >
> >
> >
> > -----Original Message-----
> > From: Robert L. Harris Robert.L.Harris@rdlg.net
> > Sent: Wed, 8 Aug 2001 11:35:16 -0600
> > To: debian-user@lists.debian.org
> > Subject: Re: FW: Careful. This is for information only.
> >
> >
> >
> >
> > 2 thoughts.
> >
> > 1) Write a script that instead of shutting down the
> system
> > applies a hot-fix or shuts the wurm off, maybe a cron
> type,
> > at job that
> > removes the files the wurm puts in place and then emails
> > the admin
> > with a "hey your box is hacked, fix it"...
> >
> > 2) My understanding is that this was made by some
> chineese
> > hacker
> > ticked off about that spy plane garbage and is DDOS'ing
> > whitehouse.gove. Being that we don't seem to be getting
> > much help
> > shutting this down since v2 is now out, lets change DNS
> for
> > a week
> > and point Whitehouse.gov to china.gov or some such mess.
> >
> >
> > Thus spake Nathan E Norman (nnorman@micromuse.com):
> >
> > > On Wed, Aug 08, 2001 at 08:36:53AM +0200, Sebastiaan
> > wrote:
> > > > How about this? [ "white" worm ]
> > >
> > > You're missing the point.
> > >
> > > No one here is saying you would be a bad person if you
> > {shut
> > > off/nuked/notified} a remote site that is already
> > affected with the
> > > worm du jour.
> > >
> > > What I'm trying to say (and John Hasler as well if I
> may
> > be
> > > presumptuous) is that given the current state of
> affairs
> > legally, you
> > > would be _unwise_ to set up your system in such a way
> > that it did
> > > something to another machine via some back door
> > mechanism, even if
> > > what you did was clearly beneficial.
> > >
> > > Many are saying "but that's stupid, it's sad that we
> > can't help".
> > > You are absolutely correct. The Internet was supposed
> to
> > be about
> > > cooperation ... as far as I can see it's mostly a
> > playground for
> > > idiots and control freaks.
> > >
> > > If you want to figure out how to "stop" code red, go
> > right ahead!
> > > However, don't be surprised when some moron calls you
> and
> > wants to
> > > know why you've "hacked" his system. You can't share
> > wisdom with
> > > fools, unfortunately.
> > >
> > > Cheers,
> > >
> > > --
> > > Nathan Norman - Staff Engineer | A good plan today is
> > better
> > > Micromuse Ltd. | than a perfect plan
> > tomorrow.
> > > mailto:nnorman@micromuse.com | -- Patton
> >
> >
> >
> >
> >
> > :wq!
> > ----------------------------------------------------------
> --
> > ---------------
> > Robert L. Harris | Micros~1 :
> > Senior System Engineer | For when quality,
> > reliability
> > at RnD Consulting | and security just
> > aren't
> > \_ that important!
> > DISCLAIMER:
> > These are MY OPINIONS ALONE. I speak for no-one
> else.
> > FYI:
> > perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-
> > 2),oct(115),10);'
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-user-
> > request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> >
> >
> >
> >
> >
> ____________________________________________________________
> _______________
> > Visit http://www.visto.com.
> > Find out how companies are linking mobile users to the
> > enterprise with Visto.
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-user-
> request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
>
> :wq!
> ------------------------------------------------------------
> ---------------
> Robert L. Harris | Micros~1 :
> Senior System Engineer | For when quality,
> reliability
> at RnD Consulting | and security just
> aren't
> \_ that important!
> DISCLAIMER:
> These are MY OPINIONS ALONE. I speak for no-one else.
> FYI:
> perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-
> 2),oct(115),10);'
>
>
>
>
> ___________________________________________________________________________
> Visit http://www.visto.com.
> Find out how companies are linking mobile users to the
> enterprise with Visto.
:wq!
---------------------------------------------------------------------------
Robert L. Harris | Micros~1 :
Senior System Engineer | For when quality, reliability
at RnD Consulting | and security just aren't
\_ that important!
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
FYI:
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
Reply to: