Re: FW: Careful. This is for information only.

To: Yvonne Kelly <yvraine@visto.com>
Cc: Robert.L.Harris@rdlg.net, debian-user@lists.debian.org
Subject: Re: FW: Careful. This is for information only.
From: "Robert L. Harris" <Robert.L.Harris@rdlg.net>
Date: Wed, 8 Aug 2001 12:23:30 -0600
Message-id: <[🔎] 20010808122330.C6197@rdlg.net>
In-reply-to: <[🔎] 3B550C3800132716@iso2.vistocorporation.com>; from yvraine@visto.com on Wed, Aug 08, 2001 at 11:18:12AM -0700
References: <[🔎] 3B550C3800132716@iso2.vistocorporation.com>


Right.  So we have a 2 parter.  Either we ignore the first 20
days and let it run, keep track of who is doing it, maybe a 

"Is your company irresponsibly spreading this POS"?  with a list
or we do the "remove the wurm binary.

But for the last third of the month we can still cut the bandwidth
used and route the booger to /dev/null and make it go away for 
a bit.  It may take a little to get the backboners to put the
entries in but if it'll clean up the net a good bit for the DDoS
mode, it's likely worth it.




Thus spake Yvonne Kelly (yvraine@visto.com):

> Yeah, except routing packets for that address to /dev/null 
> will only work during the last part of the month, when it's 
> in DDoS mode.  For the first twenty days of the calendar 
> month, it's in propogation mode, spreading itself, and 
> that's what is clogging the bandwidth right now.
> 
> Y.Kelly
> 
> 
> 
> -----Original Message-----
> From:    Robert L. Harris Robert.L.Harris@rdlg.net
> Sent:    Wed, 8 Aug 2001 12:09:07 -0600
> To:      yvraine@visto.com
> CC:      debian-user@lists.debian.org, 
> Robert.L.Harris@rdlg.net
> Subject: Re: FW: Careful. This is for information only.
> 
> 
> 
> 
>   Agree with the ethics problem.  I don't have many ethical 
> problems though
> with overwriting a wurm binary from a machine we know is 
> hacked, it hit
> me afterall.
> 
>   How about assigning that hardcoded IP to /dev/null.  Have 
> the backbone
> operators assign a static route to a dead interface on the 
> backbone routers
> so it doesn't even try to go to the old network.
> 
> 
>   Yes the best patch would be if all the IIS boxes were 
> patched but it doesn't
> appear to be working all that well.
> 
> 
> Thus spake Yvonne Kelly (yvraine@visto.com):
> 
> > Hi,
> > 
> > 1.  You still run into the ethics question of whether you 
> > should be tampering with other people's boxes yourself, 
> > even with good intentions.  Even if it's just to run a 
> > script.
> > 
> > 2a. We don't KNOW that it was Chinese in origin.  Sure, 
> the 
> > defacement script reads "Hacked by Chinese," but anyone 
> > could have written that just to frame them.  I've even 
> > heard theories that the worm was created by the CIA....
> > 
> > 2b. The DDoS target is actually a hardcoded IP address, 
> > not "www.whitehouse.gov" so there's no DNS involved.  
> That 
> > IP address used to be the White House's, but they've long 
> > since gotten that changed!
> > 
> > Y.Kelly
> > 
> > 
> > 
> > -----Original Message-----
> > From:    Robert L. Harris Robert.L.Harris@rdlg.net
> > Sent:    Wed, 8 Aug 2001 11:35:16 -0600
> > To:      debian-user@lists.debian.org
> > Subject: Re: FW: Careful. This is for information only.
> > 
> > 
> > 
> > 
> > 2 thoughts.  
> > 
> > 1)  Write a script that instead of shutting down the 
> system
> > applies a hot-fix or shuts the wurm off, maybe a cron 
> type, 
> > at job that
> > removes the files the wurm puts in place and then emails 
> > the admin
> > with a "hey your box is hacked, fix it"...
> > 
> > 2) My understanding is that this was made by some 
> chineese 
> > hacker
> > ticked off about that spy plane garbage and is DDOS'ing 
> > whitehouse.gove.  Being that we don't seem to be getting 
> > much help
> > shutting this down since v2 is now out, lets change DNS 
> for 
> > a week
> > and point Whitehouse.gov to china.gov or some such mess.
> > 
> > 
> > Thus spake Nathan E Norman (nnorman@micromuse.com):
> > 
> > > On Wed, Aug 08, 2001 at 08:36:53AM +0200, Sebastiaan 
> > wrote:
> > > > How about this? [ "white" worm ]
> > > 
> > > You're missing the point.
> > > 
> > > No one here is saying you would be a bad person if you 
> > {shut
> > > off/nuked/notified} a remote site that is already 
> > affected with the
> > > worm du jour.
> > > 
> > > What I'm trying to say (and John Hasler as well if I 
> may 
> > be
> > > presumptuous) is that given the current state of 
> affairs 
> > legally, you
> > > would be _unwise_ to set up your system in such a way 
> > that it did
> > > something to another machine via some back door 
> > mechanism, even if
> > > what you did was clearly beneficial.
> > > 
> > > Many are saying "but that's stupid, it's sad that we 
> > can't help".
> > > You are absolutely correct.  The Internet was supposed 
> to 
> > be about
> > > cooperation ... as far as I can see it's mostly a 
> > playground for
> > > idiots and control freaks.
> > > 
> > > If you want to figure out how to "stop" code red, go 
> > right ahead!
> > > However, don't be surprised when some moron calls you 
> and 
> > wants to
> > > know why you've "hacked" his system.  You can't share 
> > wisdom with
> > > fools, unfortunately.
> > > 
> > > Cheers,
> > > 
> > > -- 
> > > Nathan Norman - Staff Engineer | A good plan today is 
> > better
> > > Micromuse Ltd.                 | than a perfect plan 
> > tomorrow.
> > > mailto:nnorman@micromuse.com   |   -- Patton
> > 
> > 
> > 
> > 
> > 
> > :wq!
> > ----------------------------------------------------------
> --
> > ---------------
> > Robert L. Harris                |  Micros~1 :  
> > Senior System Engineer          |    For when quality, 
> > reliability 
> >   at RnD Consulting             |      and security just 
> > aren't
> >                                 \_       that important!
> > DISCLAIMER:
> >       These are MY OPINIONS ALONE.  I speak for no-one 
> else.
> > FYI:
> >  perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-
> > 2),oct(115),10);'
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-user-
> > request@lists.debian.org 
> > with a subject of "unsubscribe". Trouble? Contact 
> > listmaster@lists.debian.org
> > 
> > 
> > 
> > 
> > 
> ____________________________________________________________
> _______________
> > Visit http://www.visto.com.
> > Find out  how companies are linking mobile users to the 
> > enterprise with Visto.
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-user-
> request@lists.debian.org 
> > with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org
> 
> 
> 
> :wq!
> ------------------------------------------------------------
> ---------------
> Robert L. Harris                |  Micros~1 :  
> Senior System Engineer          |    For when quality, 
> reliability 
>   at RnD Consulting             |      and security just 
> aren't
>                                 \_       that important!
> DISCLAIMER:
>       These are MY OPINIONS ALONE.  I speak for no-one else.
> FYI:
>  perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-
> 2),oct(115),10);'
> 
> 
> 
> 
> ___________________________________________________________________________
> Visit http://www.visto.com.
> Find out  how companies are linking mobile users to the 
> enterprise with Visto.



:wq!
---------------------------------------------------------------------------
Robert L. Harris                |  Micros~1 :  
Senior System Engineer          |    For when quality, reliability 
  at RnD Consulting             |      and security just aren't
                                \_       that important!
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

Reply to:

References:
- Re: FW: Careful. This is for information only.
  - From: "Yvonne Kelly" <yvraine@visto.com>

Prev by Date: Re: Backing up harddisk prior to failure
Next by Date: Pci sound card advice
Previous by thread: Re: FW: Careful. This is for information only.
Next by thread: Re: FW: Careful. This is for information only.
Index(es):
- Date
- Thread