[ale] Abuse

Jason Day jasonday at worldnet.att.net
Thu May 15 14:27:38 EDT 2003


On Wed, May 14, 2003 at 04:42:54PM -0700, Stephen Turner wrote:
> ohh yea code red, damn i though that thing and all its buddies was dead by
> now... hmm, why not spam the hell out of thier server with messages saying
> they were infected and need to patch? :-p damn i guess it takes a lazy
> admin to not see they are sending out a code red attack? i mean that does
> show up in logs right? that would get on my nerves soo bad lol.. im glad

I think the problem is that most of the servers that are still infected
(and still being infected) are not really servers, they are desktop
systems of typical Windows users.  I'm not trying to insult Windows
users, but a typical Windows user is not an admin (by design), and is
most likely unaware that they are even running a web server.  The
default install for NT "helpfully" installed and enabled web and ftp
services by default.

> im not running a server i would waste all my time reporting them :-p or
> worse. hmm maybe the virous idea was a bad shot, i was thinking of a
> script kiddie just trying to hack from his own box but that seldome
> happens these days anyways,.. *bangs head on desk* when will i learn. i
> got a mean streek in me. now wait, if they are trying to attack your iis
> server that doesnt exist, is there some way to get a browser to pop up on
> their server and say "your infected" or something? LOL wonder how much

I seem to remember someone writing a program (can't remember if it was
an apache module, or a log scanner) that would connect back to the
infected server, get a root shell (it's already got a back door), and
reboot it.  I think the original code red was memory-resident only, so
this "fixed" the infected box, at least until it got infected again.
There was a lot of talk about automatically applying the fix for code
red in the same way, but I don't know if anything ever came from that.
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list