Security Incidents mailing list archives
Re: Tracking down the still infected hosts
From: "Kyle R. Hofmann" <krh () lemniscate net>
Date: Mon, 24 Sep 2001 23:42:31 -0700
On Mon, 24 Sep 2001 22:00:53 -0400, "Fulton L. Preston Jr." wrote:
I implemented the methods below on my IIS and Apache servers and it knocked all the local Nimda traffic dead in minutes. Nimda traffic from neighboring ISPs was way down within an hour. Since I am on a cable modem I can't control the rest of the network around me but this sure did shut them noisy infected boxes up in a hurry :)
For machines that don't run a web server, I wrote a short perl script that will send an HTTP/1.1 Redirect to anyone attempting to access port 80. I'm not very familiar with the HTTP protocol, so I may have done something that's technically incorrect, but lynx honors the redirect just fine, so I think it's OK. The script is appended to this message. -- Kyle R. Hofmann <krh () lemniscate net> -----Script begins here----- #!/usr/bin/perl -Tw use strict; use IO::Socket; $::WEB_PORT = 80; my ($server); my ($client); $server = IO::Socket::INET->new(LocalPort => $::WEB_PORT, Type => SOCK_STREAM, Reuse => 1, Listen => SOMAXCONN ) or die "I couldn't bind myself to port $::WEB_PORT: $!\n"; close(STDIN); close(STDOUT); close(STDERR); chdir("/"); while ($client = $server->accept()) { my ($line); while (($line = <$client>) !~ /^\s*$/) { } print $client "HTTP/1.1 301 Redirect\n"; print $client "Date: ", scalar(localtime()), "\n"; print $client "Location: http://127.0.0.1/\n\n"; $client->shutdown(2); } ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Tracking down the still infected hosts Darren Windham (Sep 24)
- Re: Tracking down the still infected hosts Mike Lewinski (Sep 24)
- <Possible follow-ups>
- RE: Tracking down the still infected hosts Martinez, Simon (Sep 24)
- RE: Tracking down the still infected hosts Fulton L. Preston Jr. (Sep 24)
- RE: Tracking down the still infected hosts Ryan McDonnell (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Tina Bird (Sep 25)
- Re: Tracking down the still infected hosts Skip Carter (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Dale Lancaster (Sep 25)
- Re: Tracking down the still infected hosts Duncan Hill (Sep 25)
- Re: Tracking down the still infected hosts Josh Burroughs (Sep 25)
- Message not available
- Re: Tracking down the still infected hosts Nicole Haywood (Sep 25)
- Re: Tracking down the still infected hosts Ryan Russell (Sep 25)