Re: Tracking down the still infected hosts

[Tina Bird <tbird () precision-guesswork com>]

Can I ask a question?

According to Ryan Russell (who's been analyzing the
worm code), Nimda doesn't honor redirects - it just
checks the response it gets from a Web server to 
determine whether or not the server is vulnerable.
It doesn't follow redirects.  So what does this 
actually accomplish?

Isn't it possible that the Nimda traffic is going down
because of the decaying growth curve of propagation?
Or am I just missing something?

confused -- tbird

On Mon, 24 Sep 2001, Kyle R. Hofmann wrote:

> Date: Mon, 24 Sep 2001 23:42:31 -0700
> From: Kyle R. Hofmann <krh () lemniscate net>
> To: incidents () securityfocus com
> Subject: Re: Tracking down the still infected hosts 
>
> On Mon, 24 Sep 2001 22:00:53 -0400, "Fulton L. Preston Jr." wrote:
> > I implemented the methods below on my IIS and Apache servers and it
> > knocked all the local Nimda traffic dead in minutes. Nimda traffic from
> > neighboring ISPs was way down within an hour.  Since I am on a cable
> > modem I can't control the rest of the network around me but this sure
> > did shut them noisy infected boxes up in a hurry :)
>
> For machines that don't run a web server, I wrote a short perl script that
> will send an HTTP/1.1 Redirect to anyone attempting to access port 80.  I'm
> not very familiar with the HTTP protocol, so I may have done something that's
> technically incorrect, but lynx honors the redirect just fine, so I think it's
> OK.  The script is appended to this message.

LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html
VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
life: http://kubarb.phsx.ukans.edu/~tbird
work: http://www.counterpane.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com