Okay, please don't flame this suggestion (in case I haven't thought it through).
Nimda is basically pissing me off because of the generated network traffic. A possible solution is to shut down (and clean) the infected IIS servers.
From my understanding the worm has a number of phases but they basically allow programs to be run on the infected machine (to set up samba mounts etc). So how about this:
Map all virus http requests (or appropriate ones) to a script. No rocket science here.
When receiving a request make a connection to the sender asking it to "run a command" on the infected machine. Choose a command to either shutdown the web server or reboot the machine or something that isn't too nasty but puts it out of action.
I'm not that familar with Windows so don't know how easy/feasible this is. It's a challenge and if I wasn't going on holidays in two days with shit load of things to do I'd make it my new short-term pet project.
Basically we can't do anything since an traffic which gets to us has already passed through our ISP and been changed for. Unless we can "pretend to be infected" and stop attacks there's no point. Anyway,...
I added a php script (formatted out of last message) which logs the IP and hostname and does a bit of a sleep before returning a message). Of the IP addresses all except one (about 100 so far) started with 208. This one was 210.212.130.7 which we traced back through to India. Interestingly this machine was one of the few which was not itself infected (i.e. the web server returned forbiddens and 404 on the home page as opposed to the others which either gave cookies and were obviously in a crappy state or had been brought down).
We've since seen a 38.165.144.38 (onetooneinteractive.com) which doesn't begin with a 208 so I guess the worm tends to pick IPs "close" but every now and again chooses one far away. Either way our traces through Indian ISPs and similar looking IPs to www.pak.gov.pk didn't yield anything conclusive:)
Let's hope the FBI's as thorough before someone starts launching missiles,
I have just tried to "slow" or stop this worm from hitting our servers but it appears to be basically a brute force worm. Can anyone provide information with what to send to it to tell you "I have the virus" or similar so the same web server won't keep knocking on the door. Currently about 50 IPs addresses are continually requesting different URLs.
My action was to add the following ".htaccess" file (for Apache):
Slashdot Mirror
Okay, please don't flame this suggestion (in case I haven't thought it through).
Nimda is basically pissing me off because of the generated network traffic. A possible solution is to shut down (and clean) the infected IIS servers. From my understanding the worm has a number of phases but they basically allow programs to be run on the infected machine (to set up samba mounts etc). So how about this:
I'm not that familar with Windows so don't know how easy/feasible this is. It's a challenge and if I wasn't going on holidays in two days with shit load of things to do I'd make it my new short-term pet project.
Wil
--
http://bd4.amristar.com.au/
Basically we can't do anything since an traffic which gets to us has already passed through our ISP and been changed for. Unless we can "pretend to be infected" and stop attacks there's no point. Anyway, ...
I added a php script (formatted out of last message) which logs the IP and hostname and does a bit of a sleep before returning a message). Of the IP addresses all except one (about 100 so far) started with 208. This one was 210.212.130.7 which we traced back through to India. Interestingly this machine was one of the few which was not itself infected (i.e. the web server returned forbiddens and 404 on the home page as opposed to the others which either gave cookies and were obviously in a crappy state or had been brought down).
We've since seen a 38.165.144.38 (onetooneinteractive.com) which doesn't begin with a 208 so I guess the worm tends to pick IPs "close" but every now and again chooses one far away. Either way our traces through Indian ISPs and similar looking IPs to www.pak.gov.pk didn't yield anything conclusive :)
Let's hope the FBI's as thorough before someone starts launching missiles,
Wil
--
http://bd4.amristar.com.au/
I have just tried to "slow" or stop this worm from hitting our servers but it appears to be basically a brute force worm. Can anyone provide information with what to send to it to tell you "I have the virus" or similar so the same web server won't keep knocking on the door. Currently about 50 IPs addresses are continually requesting different URLs.
My action was to add the following ".htaccess" file (for Apache):
--- RewriteEngine On RewriteRule ^c/.* nimda.phtml [L] RewriteRule ^d/.* nimda.phtml [L] RewriteRule ^MSADC/.* nimda.phtml [L] RewriteRule ^msadc/.* nimda.phtml [L] RewriteRule ^_mem_bin/.* nimda.phtml [L] RewriteRule ^_vti_bin/.* nimda.phtml [L] RewriteRule ^var/.* nimda.phtml [L] RewriteRule ^default.ida.* nimda.phtml [L] RewriteRule nimda.phtml nimda.phtml [L] ---with the script "nimda.phtml" (actually called #$%&Off.phtml) looking like this:
--- ---This seems to slow the virus but probably only delays it a little. It does not appear to operate sequentially (I haven't timed/tested).
Basically I'm looking for a way to reduce the network traffic. Even turning the web server off will still incur the cost of the traffic?
Wil
--
http://bd4.amristar.com.au/ (online game)