[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Code Red

Subject: Re: [cobalt-users] Code Red
From: Greg Hewitt-Long <greg@xxxxxxxxxxxxxxxxxxx>
Date: Thu Aug 9 08:24:40 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>There have been frequent threads about Code Red and even a few scripts to check how many times it has attacked.
>
>Here is a challenge for any top scripters out there...
>
>Write a script which monitors the access log and if it sees tell tale signs (e.g requests for .ida) it then blocks that IP address, using IPCHAINS or similar.
>
>I don't even know if this would help but if the Code Red could not even see the server, would it not just go away and bother someone else?
>
>Even better would be to log the IP address, do a dig on the results and send an abusive message to the administrator of the site it resolves to (if available) or the admin for the IP block.


We've had good results sending invoices for admin time - based on number of request sent.

We took anyone whose machines had sent more than 100 requests, emailed them an invoice for $1.99 per request and told them that they could remove the Code Red by following the new instructions at Microsoft.com and that failure to do so, would result in the bill becoming real.  We gave them 24 hours - and to-date everyone we sent them to as stopped their servers probing us.

As our initial phone canvassing of some of the worst problem NOCs yields "we already fixed that!" responses - we changed our emails to point out that there were now 3 variants, and that they were re-infected with v3.

I hope this helps

regards

Greg


>
>Jason Vaughan
>Netergy.com
>--
> ---------------------------------------------
>Jason Vaughan
>       Netergy.com Limited
>       Studio 1B, 101 Farm Lane, London SW6 1QJ
>       T: 020 7610 1010 - F: 020 7610 1551
>       http://www.netergy.com
>       http://www.anynames.com
> ---------------------------------------------
>
> IMPORTANT LEGAL NOTICE:
> This e-mail is strictly confidential and is intended solely for the person or organisation to whom it is addressed. It may contain privileged and confidential information and if you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this communication in error, please advise us by e-mail and delete the file from your system.
>
> If you contact us by e-mail, we will store your name and address to facilitate communications.
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users

-- 
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158

References:
- [cobalt-users] Code Red
  - From: Jason Vaughan

Prev by Date: Re: [cobalt-users] anyone seen this message before?
Next by Date: [cobalt-users] Webalizer 2.01 question
Previous by thread: OT Re: [cobalt-users] Code Red
Next by thread: Re: [cobalt-users] Code Red

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index