Re: Tracking down the still infected hosts

["Kyle R. Hofmann" <krh () lemniscate net>]

On Mon, 24 Sep 2001 22:00:53 -0400, "Fulton L. Preston Jr." wrote:
> I implemented the methods below on my IIS and Apache servers and it
> knocked all the local Nimda traffic dead in minutes. Nimda traffic from
> neighboring ISPs was way down within an hour.  Since I am on a cable
> modem I can't control the rest of the network around me but this sure
> did shut them noisy infected boxes up in a hurry :)

For machines that don't run a web server, I wrote a short perl script that
will send an HTTP/1.1 Redirect to anyone attempting to access port 80.  I'm
not very familiar with the HTTP protocol, so I may have done something that's
technically incorrect, but lynx honors the redirect just fine, so I think it's
OK.  The script is appended to this message.

-- 
Kyle R. Hofmann <krh () lemniscate net>

-----Script begins here-----
#!/usr/bin/perl -Tw

use strict;
use IO::Socket;

$::WEB_PORT = 80;

my ($server);
my ($client);

$server = IO::Socket::INET->new(LocalPort       => $::WEB_PORT,
                                Type            => SOCK_STREAM,
                                Reuse           => 1,
                                Listen          => SOMAXCONN )
        or die "I couldn't bind myself to port $::WEB_PORT: $!\n";

close(STDIN);
close(STDOUT);
close(STDERR);
chdir("/");

while ($client = $server->accept()) {
        my ($line);

        while (($line = <$client>) !~ /^\s*$/) { }

        print $client "HTTP/1.1 301 Redirect\n";
        print $client "Date: ", scalar(localtime()), "\n";
        print $client "Location: http://127.0.0.1/\n\n";;

        $client->shutdown(2);
}

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com