what do you think?

From: Big Bird (condor_at_biosys.net)
Date: 05/28/03

  • Next message: Mike: "Re: Nessus question" 
    Date: 27 May 2003 21:53:10 -0700

    A while ago, I got tired of those bogus error messages in my apache
    logs bugging me about a nonexistent "default.ida" - so I *created* a
    file named 'default.ida' that conssts f the following few lines:

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <HTML>
    <HEAD>
      <title>Oops!</title>
      <META HTTP-EQUIV="Refresh" CONTENT="2; URL=http://localhost/">
    </head><body>
    <tt>DEFAULT.IDA</tt> brought to you by Apache.
    </body>
    </html>

    Now I told a friend about this and he suggested that this is being way
    too nice -- his recommendation was symlinking default.ida to
    /dev/random and feeding the worms garbage until they die.

    I don't know if nimda (or code red or whichever worm wants
    default.ida) opens multiple net-connections, but if it does, this
    would amount to a distributed DOS attack by the targets on the
    infected machine. On the one hand this seems wrong to me, but on the
    other hand it seems as if it were a good thing to deny service to a
    machine that is out to infect other machines.

    The ethics of this situation have me puzzled. It seems the ideal thing
    would be a script that returns to the worm something that it then
    processes and which shuts it down -- but short of such
    windows-wizardry (about which I know very little) it seems in
    everybodies interest to keep a wormed machine infinitely busy chewing
    garbage, no? Yes?

    Opinions, anybody?

  • Next message: Mike: "Re: Nessus question"

    Relevant Pages