Date: Fri, 28 Sep 2001 03:53:59 +0200 (SAST) From: The Psychotic Viper <psyv@sec-it.net> To: Edwin Groothuis <edwin@mavetju.org> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: Apache server log Message-ID: <20010928032932.H5555-100000@lucifer.fuzion.ath.cx> In-Reply-To: <20010928090745.D482@k7.mavetju.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Fri, 28 Sep 2001, Edwin Groothuis wrote: > On Thu, Sep 27, 2001 at 02:21:48PM -0400, Louis LeBlanc wrote: > > On 09/27/01 11:30 AM, Marius Kirschner sat at the `puter and typed: > > > Yep, that's Nimda, alright. Nothing you have to worry about if you run > > > a unix system. > > > > Correct. However, there's no reason you can't do something about it. > > You've heard of Apache::CodeRed? Well, it's a mod_perl handler. It > > handles the requests for default.ida by looking up the requesting IP > > and sending a warning to the web admin and abuse authorities as well > > as securityfocus.com. > > I've created a Code Red & Nimda spammer, which does the same (sending > messages about it to the webadmin, abuse, postmaster and the > information coming from DNS and whois) but it isn't real-time. > > See http://www.mavetju.org/networking/tools.phtml for it. I agree that notifying admins of things like this could help but an automated tool can lead to a DoS of sorts in some circumstances, consider the rate of infection/scans and then weigh it up against the actually rate of a successful notification and it all seems to be not that much of a profitable exercise. The basic idea been discussed in numerous places under different guises, such as responding to scan attempts in different ways like these or firewalling methods. A good example is when in my own case I get about150+ scans from Nimda alone on a dialup connection daily (thats in only a 12hour period as well on a higher end IP subnet).Now look at your "spammer" and consider that you would send out at the very least 5 emails for each scan/attempt not to mention a whois and DNS lookup, that equates to 5*150 (for 12 hours) or 5*300 (could be even more). This rate can easily be more or less. That in the least would cause resources delegated to a task that could easily be ignored. Also consider that in most cases those emails would be ignored or not help in the case of ISPs who would be inundated with these mails and not give it the attention it would deserve. Basically all I want to say is that such actions can prove futile and possibly negative, rather try educating your fellow admins and users as best you can with that time. :) PsyV To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010928032932.H5555-100000>