[Techtalk] outlook virii

James james at james-web.net
Fri Apr 12 22:43:26 EST 2002


I remember someone that made a Perl script which added offending IPs to
a ipchains/iptables block list.

However, automated is BAD.  If this procedure caught on, virii writers
might spoof IPs as a snub to those who do this.  Imagine if suddenly
you've blackholed localhost or your gateway or your DNS servers or
everything else in your Class C.

Basically, I just laugh at Nimda/CR trying to compromise my Apache
server and weep because of all the people who are still
vulnerable/infected.

- James

> -----Original Message-----
> From: techtalk-admin at linuxchix.org
[mailto:techtalk-admin at linuxchix.org]
> On Behalf Of Davis, Jennifer
> Sent: Friday, April 12, 2002 5:20 PM
> To: 'Techtalk at linuxchix.org'
> Subject: [Techtalk] outlook virii
> 
> Hi:
> 
> 	I was wondering if it was possible to send some sort of message
back
> to people. (like maybe a popup message) when they hit my webserver
that
> surfing with viruses on their system is just not cool  See an except
from
> my
> log below.  I estimate that 95% of the hits to my web server are these
> exploit attempts.  Barring that is there a way to block an IP that
we'll
> say
> is looking for root.exe?  The weserver is a standard Apache 1.3?  that
> came
> with Slackware 8.0.
> 
> Thanks again
> Jenn
> 
> Jennifer Davis
> Constitutional & Administrative Law - Droit administratif &
> constitutionnel
> Department of Justice Canada - Ministère de la Justice du Canada
> *(613) 957-4963 - fx (613) 941-1937
> *jdavis at justice.gc.ca
> 
> 64.168.22.13 - - [10/Apr/2002:17:10:57 -0400] "GET
> /scripts/root.exe?/c+dir
> HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:10:58 -0400] "GET
/MSADC/root.exe?/c+dir
> HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:10:58 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:10:59 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:11:00 -0400] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:11:00 -0400] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:11:01 -0400] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:11:01 -0400] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/
> sy
> stem32/cmd.exe?/c+dir HTTP$
> 64.168.22.13 - - [10/Apr/2002:17:11:02 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:11:03 -0400] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:11:04 -0400] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:11:04 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> 64.168.22.13 - - [10/Apr/2002:17:11:05 -0400] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
> 64.168.22.13 - - [10/Apr/2002:17:11:05 -0400] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
> 64.168.22.13 - - [10/Apr/2002:17:11:06 -0400] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
1601
> 64.168.22.13 - - [10/Apr/2002:17:11:06 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> 
> 
> 
> 
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk




More information about the Techtalk mailing list