[linux-elitists] nimda - cheese or notify script?

Rick Bradley roundeye@roundeye.net
Tue Sep 18 13:04:45 PDT 2001


* Karsten M. Self (kmself@ix.netcom.com) [010918 14:58]:
> Anyone aware of a nimda cheese counterworm or a notify script for
> shutting down the attack?

Not as of yet.  http://www.incidents.org/react/nimda.php has good info
on what nimda appears to be doing.

I'm wondering if "Admin.dll" might not be a weak point.  Maybe a
counterworm could TFTP something useful on top of Admin.dll.

> My dialup has had 64 connection attempts to date, starting at 6:30 this
> morning.

242 here as of an hour ago on 128Kb up DSL.  

> ...I'm current running 'host' and 'whois' on the 64 hosts detected.

I contacted Southwestern Bell's NOC (not tech support) and my call was
the first they'd heard of it.  When I informed the guy what was up he
was very interested in getting logs.  I sent him a list of IPs in my
/16 (which is all swbell) along with the corresponding log entries via
"abuse@swbell.net".

I'm hoping that if they know which IPs are infected they won't ban
port 80 for everyone else like some ISPs did for CR*.

Rick
-- 
 Mostly useless pseudo-random number: 1000
 Rick Bradley - http://xns.org/=rick@eastcore.net  (94 F)



More information about the linux-elitists mailing list