RE: [cobalt-users] Code Red variations

["Phil Beynon" <Infolink@xxxxxxxxxxxxxxx>]

> I'm still getting attempts with both NN and XX. Don't worry too much
> about it, as it can't affect your Linux box (yet - wait for version
> 3/4). Just keep an eye on it and see if you can get your ISP or NOC
> to block those attempts, if they can...
>
> Hmm, that makes me wonder. I have an idea!
> How about making a default server-wide page (like how an error
> document is set up) that responds to "default.ida?*"
> Requests to that could be redirected to a script (CGI or PHP) that
> grabbed the IP of the machine and tossed it into IPChains to be
> denied. It wouldn't stop the first request from each machine, of
> course, but it would stop any repeated requests.
> Which begs the question - ARE there any repeated requests? I haven't
> looked in my logs for this, maybe someone else already has.
>
> Another idea is that the script would generate a whois on the IP and
> fire off an email to the IP's owner or upstream alerting them that
> they're infected and to take action?
>
> Dunno, just trying to come up with some kind of response other than
> sitting here helplessly watching my logs and stats fill up with this
> useless crap...
> --
> CarrieB
> "The point to remember is that what the government gives, it must
> first take away." --John S. Coleman
>

Nice idea,
But it relies on the server that set it being alive still - I experimentally
tossed a few IP addresses it had come from into IE5 and mostly I got a
"server not responding" type message back.
So by emailing them you could just end up with a host of bounce messages
cluttering things up even more!

Phil