Re: Tracking down the still infected hosts

["Kyle R. Hofmann" <krh () lemniscate net>]

On Tue, 25 Sep 2001 11:24:49 -0500, Tina Bird wrote:
> According to Ryan Russell (who's been analyzing the
> worm code), Nimda doesn't honor redirects - it just
> checks the response it gets from a Web server to 
> determine whether or not the server is vulnerable.
> It doesn't follow redirects.  So what does this 
> actually accomplish?

Actually, I'm not sure it accomplishes anything.  I read the post saying that
redirecting Nimda to 127.0.0.1 killed it or slowed it down, and I wrote and
posted my redirection tool before I spent a lot of time watching Nimda's
reaction to it.  Now that I've let it run overnight, I'm convinced that it
doesn't do any good.  Nimda traffic on my machine has actually gone up,
because now it doesn't stop--it just keeps pounding on me, gleefully ignorning
the redirects.  I've gotten about 1.44 HTTP connections per minute in the
past six hours, primarily from two persistent machines, whereas yesterday,
before I had written my tool, I got about 0.391 connections per minute spread
out among a half-dozen or so machines.  Since none of this is legitimate
traffic (my machine hasn't run a web server in half a year), for machines
that don't run web servers it's clearly less effective to send redirects than
to simply refuse connections.  I suspect that the same is true for web
servers, as well.

-- 
Kyle R. Hofmann <krh () lemniscate net>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com