[cobalt-users] Maybe we can do something about NIMDA

["Tomi Crnicki" <tcrnicki@xxxxxxxxxxxx>]

Hi!

I tried to figure out what to do with this damn Nimda worm and I got 
an idea but I would like to hear your legal and technical opinion.

Most of us have a script running and we know what machines are 
infected and are probing our server(s). If the worm got onto the 
machine the security gap the worm used seems to still be present 
on the system (I doubt it patched the system, right ;-)) ).

My idea: why not use this same security hole to disable the damn 
worm and machine. I am not thinking of doing any harm but only 
something like disabling a route to at least my netblock or even 
better disabling it's TCP/IP protocol so not only will it not bother 
me, but also it will not bother anybody else. 

This should be possible with a remote route and/or ipconfig 
command or something similar on the NT machine if I am not 
missing something important. Someone with expertise on the NT 
could be able to provide the info of what to do best.

Also a pop-up message on the screen that the machine is infected 
would be a good idea.

I have at least 2000 IP's on my list. I know some are dynamic dial-
up users that are not connected anymore but many are machines 
with static IP's. A non infected machine would have no trouble 
handling the few requests that would disarmour the infected servers.

What do you say? Is it possible? Should we go for this or are in 
this case we doing something illegal even if it is protecting ourselfs 
and others? 

If it is technically possible and not illegal should we still report in 
advance our intended activity to someone so we don't get messed 
up with the bad guys? Even better: is there such an authority at 
least somewhere in the world that could legally do this and we only 
send them lists of infected IP's.

Regards,

Tomi Crnicki - Abacus, Croatia