[linux-elitists] nimda - cheese or notify script?

Rick Bradley roundeye@roundeye.net
Tue Sep 18 13:04:45 PDT 2001

* Karsten M. Self (kmself@ix.netcom.com) [010918 14:58]:
> Anyone aware of a nimda cheese counterworm or a notify script for
> shutting down the attack?

Not as of yet.  http://www.incidents.org/react/nimda.php has good info
on what nimda appears to be doing.

I'm wondering if "Admin.dll" might not be a weak point.  Maybe a
counterworm could TFTP something useful on top of Admin.dll.

> My dialup has had 64 connection attempts to date, starting at 6:30 this
> morning.

242 here as of an hour ago on 128Kb up DSL.  

> ...I'm current running 'host' and 'whois' on the 64 hosts detected.

I contacted Southwestern Bell's NOC (not tech support) and my call was
the first they'd heard of it.  When I informed the guy what was up he
was very interested in getting logs.  I sent him a list of IPs in my
/16 (which is all swbell) along with the corresponding log entries via

I'm hoping that if they know which IPs are infected they won't ban
port 80 for everyone else like some ISPs did for CR*.

 Mostly useless pseudo-random number: 1000
 Rick Bradley - http://xns.org/=rick@eastcore.net  (94 F)

More information about the linux-elitists mailing list